A dependency health checker for Python projects
Project description
depcheck
A dependency health checker for Python projects.
depcheck scans your Python project's dependencies and reports on their health — checking for outdated packages, known vulnerabilities (CVEs), unmaintained packages, yanked or removed packages, and license compliance.
Features
- 🔍 Multi-format support — scans
requirements.txt,pyproject.toml, andPipfile - 🛡️ Vulnerability scanning — checks packages against the OSV.dev database
- 📦 Outdated detection — compares installed versions against the latest on PyPI
- ⏰ Unmaintained detection — flags packages with no updates in over a year
- 🚫 Yanked/removed detection — identifies packages no longer available on PyPI
- 📋 SBOM export — generate Software Bills of Materials in CycloneDX and SPDX formats (
depcheck export) - ⚖️ License compliance — license classification with SPDX identifiers and compliance checking
- 🎨 Beautiful output — Rich-powered terminal tables with color-coded health status
- 🔄 Dependency diff — compare two requirement files or detect lockfile drift (
depcheck diff) - 📈 Outdated analysis — upgrade path tracking with semver classification, risk assessment, and changelog links (
depcheck outdated) - 🔗 Dependency chain tracing — find out why a package is in your project with
depcheck why <package> - 📊 Dependency graph — interactive HTML visualization with D3.js force-directed layout (
depcheck graph) - 🤖 CI/CD friendly — JSON output mode and configurable exit codes for automation
Installation
pip install depcheck
Usage
Scan the current directory
depcheck scan
Scan a specific project path
depcheck scan /path/to/my/project
JSON output for CI/CD pipelines
depcheck scan --json
Fail on vulnerabilities (useful in CI)
depcheck scan --fail-on vulnerable
Fail on any unhealthy package
depcheck scan --fail-on any
Fail on outdated packages
depcheck scan --fail-on outdated
Combine options
depcheck scan /path/to/project --json --fail-on vulnerable
License compliance checking
# Enable license scanning for all dependencies
depcheck scan --check-licenses
# Only allow permissive and public-domain licenses (flags copyleft/restricted as non-compliant)
depcheck scan --check-licenses --allow-license permissive --allow-license public_domain
# Deny specific licenses
depcheck scan --check-licenses --deny-license GPL-3.0 --deny-license AGPL-3.0
# Fail CI if any license issues found
depcheck scan --check-licenses --fail-on license
# Combine license options (specifying --allow-license or --deny-license enables checking automatically)
depcheck scan --allow-license permissive --deny-license GPL-3.0
Dependency graph visualization
# Generate an interactive HTML dependency graph
depcheck graph
# Specify output file and project path
depcheck graph /path/to/project -o deps.html
# Control tree depth and check licenses
depcheck graph --max-depth 5 --check-licenses
# Skip vulnerability checks for faster results
depcheck graph --no-vuln-check
The generated HTML file includes:
- D3.js force-directed graph with nodes colored by health status
- Click-to-inspect any node for version, license, and vulnerability details
- Search/filter packages by name
- Zoom and pan to navigate large dependency trees
- Export as SVG or PNG directly from the browser
Compare dependency files
depcheck diff requirements.old.txt requirements.new.txt
Outdated dependency analysis
# Check for outdated dependencies with upgrade path analysis
depcheck outdated
# Show pip upgrade commands grouped by risk level
depcheck outdated --show-commands
# JSON output for CI/CD
depcheck outdated --json
# Fail CI if major upgrades available (breaking changes)
depcheck outdated --fail-on major
# Fail on any outdated dependency
depcheck outdated --fail-on any
Compare as JSON (CI/CD)
depcheck diff --json requirements.old.txt requirements.new.txt
Detect lockfile drift
depcheck diff --drift requirements.txt requirements.lock
Fail on any change (CI gate)
depcheck diff --fail-on-change requirements.old.txt requirements.new.txt
Show traditional unified diff
depcheck diff --unified v1.txt v2.txt
Watch for dependency changes in real-time
# Monitor current directory for dependency file changes
depcheck watch
# Watch a specific project with custom debounce
depcheck watch /path/to/project --debounce 5
# CI guard: exit immediately if vulnerabilities detected
depcheck watch --exit-on-issue --fail-on vulnerable
# Watch with license compliance
depcheck watch --check-licenses --deny-license GPL-3.0
Generate an SBOM (Software Bill of Materials)
depcheck export --format cyclonedx
depcheck export --format spdx --output sbom.json
depcheck export --format summary
depcheck export --format cyclonedx --check-licenses --output bom.cdx.json
Export without vulnerability checks (faster)
depcheck export --format cyclonedx --no-vuln-check
Trace why a dependency exists
depcheck why urllib3
depcheck why certifi /path/to/project
depcheck why setuptools --json
depcheck why pillow --max-depth 6
depcheck why numpy --no-vuln-check
depcheck why resolves the full dependency graph and finds all paths from your direct dependencies to the target package — answering the common question: why is this package in my project?
Diff Change Types
| Change | Symbol | Meaning |
|---|---|---|
| Added | + |
Package exists only in the new file |
| Removed | - |
Package exists only in the old file |
| Upgraded | ↑ |
Pinned version increased |
| Downgraded | ↓ |
Pinned version decreased |
| Specifier changed | ~ |
Version specifier changed (e.g., >=2.0 → >=3.0) |
| Unpinned | ⚠ |
Went from pinned version to version range |
| Pinned | ✓ |
Went from version range to pinned version |
Health Status
Each package is assigned a health status with color-coded output:
| Status | Icon | Color | Meaning |
|---|---|---|---|
| Healthy | 🟢 | Green | Package is up-to-date with no known issues |
| Outdated | 🟡 | Yellow | A newer version is available on PyPI |
| Vulnerable | 🔴 | Red | Known CVEs exist for this package version |
| Unmaintained | 🟡 | Yellow | No release in over 1 year |
| Yanked | 🔴 | Red | Package or version has been yanked from PyPI |
| Removed | 🔴 | Red | Package no longer exists on PyPI |
SBOM Export Formats
depcheck export supports industry-standard SBOM formats for supply chain transparency and regulatory compliance (EU CRA, US EO 14028):
| Format | Standard | Use Case |
|---|---|---|
cyclonedx |
OWASP CycloneDX 1.6 | Supply chain security, vulnerability correlation |
spdx |
SPDX 2.3 | License compliance, open source auditing |
summary |
depcheck custom | Quick human review, CI dashboards |
All formats include package names, versions, and PURLs. CycloneDX output includes vulnerability data with severity ratings; SPDX output includes license declarations and dependency relationships.
Exit Codes
| Code | Meaning |
|---|---|
| 0 | All packages healthy (or no --fail-on specified) |
| 1 | Failed due to --fail-on condition met |
| 2 | Error during scanning |
Screenshots
Placeholder — screenshots will be added after first release.
How It Works
- Discovery —
depchecklooks forrequirements.txt,pyproject.toml, orPipfilein your project directory - Parsing — Extracts package names and version specifiers
- PyPI Lookup — Queries the PyPI JSON API for each package to get latest versions, release dates, yanked status, and license metadata
- Vulnerability Check — Queries the OSV.dev API for known vulnerabilities affecting each package version
- License Classification — Normalizes license identifiers to SPDX IDs, classifies them into categories (permissive, copyleft, restricted, public domain), and checks against your compliance policy
- Report — Displays a rich, color-coded summary table with license compliance status
Contributing
Contributions are welcome! Here's how you can help:
- Fork the repository at github.com/jlaportebot/depcheck
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Development setup
git clone https://github.com/jlaportebot/depcheck.git
cd depcheck
pip install -e ".[dev]"
Running tests
pytest
Code style
This project uses Ruff for linting and formatting.
ruff check .
ruff format .
License
This project is licensed under the MIT License — see the LICENSE file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file depdoctor-0.3.0.tar.gz.
File metadata
- Download URL: depdoctor-0.3.0.tar.gz
- Upload date:
- Size: 276.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bfc97634ca509d1d374d07c968b93665c2098005ffd1963cfa850706353e1d51
|
|
| MD5 |
1e50bee4942335378ba03a2c16435031
|
|
| BLAKE2b-256 |
a4a5e28ab91ea87d94efaf2573ea3f9f1079bf883676bbe30738ce53f34411e0
|
File details
Details for the file depdoctor-0.3.0-py3-none-any.whl.
File metadata
- Download URL: depdoctor-0.3.0-py3-none-any.whl
- Upload date:
- Size: 218.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
adae6d23e5b08d3c162d1aeb1879a9d087f33c96601ee8ecdd7ef1ab9be35eb7
|
|
| MD5 |
ef554a303c7aea9a2356b0b46cb30103
|
|
| BLAKE2b-256 |
c31eb6b2f9d1501af97e6dba2ee7201b78a4772cbc7d6e05650fd57b364744bd
|