Cross-language dependency age analyzer — scan lock files for staleness, CVEs, and update urgency

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Bhayanak from gravatar.com Bhayanak

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: dep-age contributors
  • Tags audit , cve , dependencies , lockfile , outdated , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

dep-age logo

dep-age

Cross-language dependency age analyzer — scan lock files & manifests for staleness, CVEs, and update urgency.

CI Coverage 95% PyPI Python License: MIT Release

One command to answer: "How old and risky are my dependencies?"

Features

  • 6 ecosystems: npm · pip · gem · go · cargo · composer
  • Lock files + manifests: scans both resolved lock files and project manifests (package.json, pyproject.toml, Cargo.toml, go.mod, composer.json)
  • Async parallel registry lookups with local caching
  • CVE checking via OSV.dev API
  • Age classification: Fresh / Aging / Stale
  • Urgency scoring: None → Critical
  • Health score: 0–100
  • Multiple outputs: Rich terminal, JSON, Markdown, CSV, SVG badge
  • CI gating: --max-age and --max-cves flags exit non-zero on violations

Installation

pip install dep-age

Quick Start

# Auto-detect lock files in current directory
dep-age scan

# Scan specific file
dep-age scan package-lock.json

# JSON output
dep-age scan --format json --output deps.json

# CI gating: fail if any dep > 2 years or has CVEs
dep-age scan --max-age "2 years" --max-cves 0

# Generate freshness badge
dep-age badge --output dep-badge.svg

CLI Reference

dep-age scan [PATH...] [OPTIONS]

Arguments:
  PATH    Lock file(s) or directory to scan (default: current directory)

Options:
  -f, --format TEXT     Output: terminal, json, markdown, csv
  -o, --output TEXT     Write output to file
  --outdated            Show only outdated dependencies
  --cves-only           Show only dependencies with CVEs
  --older-than TEXT     Filter by age (e.g. "1 year", "6 months")
  --max-age TEXT        CI gate: exit 1 if any dep exceeds this age
  --max-cves INT        CI gate: exit 1 if total CVEs exceed this
  --ignore TEXT         Comma-separated packages to skip
  --offline             Use cached data only, no network requests
  -V, --version         Show version

Supported Files

Ecosystem Lock Files Manifest / Config
npm package-lock.json, yarn.lock, pnpm-lock.yaml package.json
Python requirements.txt, Pipfile.lock, poetry.lock pyproject.toml
Ruby Gemfile.lock
Go go.sum go.mod
Rust Cargo.lock Cargo.toml
PHP composer.lock composer.json

what it shows?

Below is scan of current repo:

$ dep-age scan .                                        
Found 1 lock file(s): pyproject.toml
Parsed 12 dependencies
╭───────────────────────────────────────╮
│ 📦 dep-age · Dependency Health Report │
│ dep-age  ·  Score: 57/100             │
│ 1 ecosystem(s)  ·  12 dependencies    │
╰───────────────────────────────────────╯

                            pip — 12 deps                            
┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━━━━━┓
┃ Package         ┃ Current ┃ Latest      ┃ Age    ┃ CVEs ┃ Urgency ┃
┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━━━━━┩
│ python-dateutil │ 2.8     │ 2.9.0.post0 │ 7y 2m  │ 0 ✅ │ HIGH    │
│ pyyaml          │ 6.0     │ 6.0.3       │ 4y 6m  │ 0 ✅ │ HIGH    │
│ tomli           │ 2.0     │ 2.4.1       │ 4y 4m  │ 0 ✅ │ HIGH    │
│ rich            │ 13.0    │ 15.0.0      │ 3y 3m  │ 0 ✅ │ HIGH    │
│ typer           │ 0.9     │ 0.24.1      │ 2y 11m │ 0 ✅ │ HIGH    │
│ pytest-asyncio  │ 0.23    │ 1.3.0       │ 2y 4m  │ 0 ✅ │ HIGH    │
│ httpx           │ 0.27    │ 0.28.1      │ 2y 2m  │ 0 ✅ │ HIGH    │
│ respx           │ 0.21    │ 0.23.1      │ 2y 1m  │ 0 ✅ │ HIGH    │
│ pytest-cov      │ 5.0     │ 7.1.0       │ 2y     │ 0 ✅ │ HIGH    │
│ ruff            │ 0.4     │ 0.15.11     │ 2y     │ 0 ✅ │ HIGH    │
│ diskcache       │ 5.6.3   │ 5.6.3       │ 2y 7m  │ 1 🟡 │ MEDIUM  │
│ pytest          │ 8.3     │ 9.0.3       │ 1y 9m  │ 1 🟡 │ MEDIUM  │
└─────────────────┴─────────┴─────────────┴────────┴──────┴─────────┘

Summary:
  📊 Total: 12 deps across 1 ecosystem(s)
  🟢 Fresh (<6 months): 0 (0%)
  🟡 Aging (6m-2y): 1 (8%)
  🔴 Stale (>2 years): 11 (91%)
  🔒 CVEs found: 2 (0 critical, 2 moderate)

💡 Recommendations:
  1. UPDATE IMMEDIATELY: diskcache 5.6.3 → 5.6.3 (1 CVE(s))
  2. UPDATE IMMEDIATELY: pytest 8.3 → 9.0.3 (1 CVE(s))
  3. Plan update: 11 stale dependencies (>2 years old)

CI Integration

# GitHub Actions
- name: Dependency audit
  run: |
    pip install dep-age
    dep-age scan --max-age "2 years" --max-cves 0

Development

git clone https://github.com/dep-age/dep-age.git
cd dep-age
pip install -e ".[dev]"
ruff check src/ tests/
pytest --cov=dep_age --cov-fail-under=95

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Bhayanak from gravatar.com Bhayanak

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: dep-age contributors
  • Tags audit , cve , dependencies , lockfile , outdated , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.0.2

This version

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dep_age-1.0.1.tar.gz (34.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dep_age-1.0.1-py3-none-any.whl (29.8 kB view details)

Uploaded Python 3

File details

Details for the file dep_age-1.0.1.tar.gz.

File metadata

  • Download URL: dep_age-1.0.1.tar.gz
  • Upload date:
  • Size: 34.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dep_age-1.0.1.tar.gz
Algorithm Hash digest
SHA256 388821afe15010f0cfe8097d0389930429c2a9105b5bf5e034488d1c8cf65df5
MD5 09b4f69953097001121c924455e3e7b1
BLAKE2b-256 e7eaf9699348b2f84d19b1e641babba17ceccb9e9c02af6ef279e87ddd19953d

See more details on using hashes here.

Provenance

The following attestation bundles were made for dep_age-1.0.1.tar.gz:

Publisher: release.yml on bhayanak/dep-age

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dep_age-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: dep_age-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 29.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dep_age-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 0907765c2bf9563ef014e4117787eb3a4fb14a223aa28f8458101f3971d856a1
MD5 4e6795801f7b49675cb37029aba680c0
BLAKE2b-256 13fceb89b72092b275b51b3a9157f12cbc6aabe1dced13f18543e6d7effe8234

See more details on using hashes here.

Provenance

The following attestation bundles were made for dep_age-1.0.1-py3-none-any.whl:

Publisher: release.yml on bhayanak/dep-age

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page