Cross-language dependency age analyzer — scan lock files for staleness, CVEs, and update urgency

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Bhayanak from gravatar.com Bhayanak

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: dep-age contributors
  • Tags audit , cve , dependencies , lockfile , outdated , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

dep-age logo

dep-age

Cross-language dependency age analyzer — scan lock files & manifests for staleness, CVEs, and update urgency.

CI Coverage 95% PyPI Python License: MIT Release Dependency Freshness

One command to answer: "How old and risky are my dependencies?"

Features

  • 6 ecosystems: npm · pip · gem · go · cargo · composer
  • Lock files + manifests: scans both resolved lock files and project manifests (package.json, pyproject.toml, Cargo.toml, go.mod, composer.json)
  • Async parallel registry lookups with local caching
  • CVE checking via OSV.dev API
  • Age classification: Fresh / Aging / Stale
  • Urgency scoring: None → Critical
  • Health score: 0–100
  • Multiple outputs: Rich terminal, JSON, Markdown, CSV, SVG badge
  • CI gating: --max-age and --max-cves flags exit non-zero on violations

Installation

pip install dep-age

Quick Start

# Auto-detect lock files in current directory
dep-age scan

# Scan specific file
dep-age scan package-lock.json

# JSON output
dep-age scan --format json --output deps.json

# CI gating: fail if any dep > 2 years or has CVEs
dep-age scan --max-age "2 years" --max-cves 0

# Generate freshness badge
dep-age badge --output dep-badge.svg

CLI Reference

dep-age scan [PATH...] [OPTIONS]

Arguments:
  PATH    Lock file(s) or directory to scan (default: current directory)

Options:
  -f, --format TEXT     Output: terminal, json, markdown, csv
  -o, --output TEXT     Write output to file
  --outdated            Show only outdated dependencies
  --cves-only           Show only dependencies with CVEs
  --older-than TEXT     Filter by age (e.g. "1 year", "6 months")
  --max-age TEXT        CI gate: exit 1 if any dep exceeds this age
  --max-cves INT        CI gate: exit 1 if total CVEs exceed this
  --ignore TEXT         Comma-separated packages to skip
  --offline             Use cached data only, no network requests
  -V, --version         Show version

Supported Files

Ecosystem Lock Files Manifest / Config
npm package-lock.json, yarn.lock, pnpm-lock.yaml package.json
Python requirements.txt, Pipfile.lock, poetry.lock pyproject.toml
Ruby Gemfile.lock
Go go.sum go.mod
Rust Cargo.lock Cargo.toml
PHP composer.lock composer.json

what it shows?

Below is scan of current repo:

$ dep-age scan .
Found 1 lock file(s): pyproject.toml
Parsed 12 dependencies
╭───────────────────────────────────────╮
│ 📦 dep-age · Dependency Health Report │
│ dep-age  ·  Score: 87/100             │
│ 1 ecosystem(s)  ·  12 dependencies    │
╰───────────────────────────────────────╯

                             pip — 12 deps
┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━┓
┃ Package         ┃ Current     ┃ Latest      ┃ Age   ┃ CVEs ┃ Urgency ┃
┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━┩
│ diskcache       │ 5.6.3       │ 5.6.3       │ 2y 8m │ 1 🟡 │ MEDIUM  │
│ python-dateutil │ 2.9.0.post0 │ 2.9.0.post0 │ 2y 1m │ 0 ✅ │ MEDIUM  │
│ rich            │ 13.9.4      │ 15.0.0      │ 1y 5m │ 0 ✅ │ MEDIUM  │
│ httpx           │ 0.28.1      │ 0.28.1      │ 1y 4m │ 0 ✅ │ LOW     │
│ pyyaml          │ 6.0.3       │ 6.0.3       │ 7m    │ 0 ✅ │ LOW     │
│ pytest-cov      │ 7.1.0       │ 7.1.0       │ 1m    │ 0 ✅ │ NONE    │
│ tomli           │ 2.4.1       │ 2.4.1       │ 1m    │ 0 ✅ │ NONE    │
│ pytest-asyncio  │ 1.4.0a0     │ 1.3.0       │ 1m    │ 0 ✅ │ LOW     │
│ pytest          │ 9.0.3       │ 9.0.3       │ 19d   │ 0 ✅ │ NONE    │
│ respx           │ 0.23.1      │ 0.23.1      │ 18d   │ 0 ✅ │ NONE    │
│ ruff            │ 0.15.12     │ 0.15.12     │ 2d    │ 0 ✅ │ NONE    │
│ typer           │ 0.25.0      │ 0.25.0      │ 1d    │ 0 ✅ │ NONE    │
└─────────────────┴─────────────┴─────────────┴───────┴──────┴─────────┘

Summary:
  📊 Total: 12 deps across 1 ecosystem(s)
  🟢 Fresh (<6 months): 7 (58%)
  🟡 Aging (6m-2y): 3 (25%)
  🔴 Stale (>2 years): 2 (16%)
  🔒 CVEs found: 1 (0 critical, 1 moderate)

💡 Recommendations:
  1. UPDATE IMMEDIATELY: diskcache 5.6.3 → 5.6.3 (1 CVE(s))
  2. Plan update: 2 stale dependencies (>2 years old)

CI Integration

# GitHub Actions
- name: Dependency audit
  run: |
    pip install dep-age
    dep-age scan --max-age "2 years" --max-cves 0

Development

git clone https://github.com/dep-age/dep-age.git
cd dep-age
pip install -e ".[dev]"
ruff check src/ tests/
pytest --cov=dep_age --cov-fail-under=95

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Bhayanak from gravatar.com Bhayanak

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: dep-age contributors
  • Tags audit , cve , dependencies , lockfile , outdated , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

1.0.2

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dep_age-1.0.2.tar.gz (37.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dep_age-1.0.2-py3-none-any.whl (31.0 kB view details)

Uploaded Python 3

File details

Details for the file dep_age-1.0.2.tar.gz.

File metadata

  • Download URL: dep_age-1.0.2.tar.gz
  • Upload date:
  • Size: 37.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dep_age-1.0.2.tar.gz
Algorithm Hash digest
SHA256 bc316fa41395b21eb8ac8bf52e7a9eca0a93a155f0366841bcc9c09e1e492e6c
MD5 f79e88555668453b3dfd366e3c7de918
BLAKE2b-256 b0003ceae71c4f4e162429ca57409372503beaaf734b616e2319825aa24edbb3

See more details on using hashes here.

Provenance

The following attestation bundles were made for dep_age-1.0.2.tar.gz:

Publisher: release.yml on bhayanak/dep-age

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dep_age-1.0.2-py3-none-any.whl.

File metadata

  • Download URL: dep_age-1.0.2-py3-none-any.whl
  • Upload date:
  • Size: 31.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dep_age-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 8f3a5e98d7496ba850c2bb472e5a660eeb341fb32ce03459f1755ec0ee211bd0
MD5 9032bae073cf3e9c614595e1437e7190
BLAKE2b-256 5961d087f44cf68d2fa370133e616c7bed97647f1ff703a4631941c7630597fd

See more details on using hashes here.

Provenance

The following attestation bundles were made for dep_age-1.0.2-py3-none-any.whl:

Publisher: release.yml on bhayanak/dep-age

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page