Comprehensive health assessments for Python project dependencies
Project description
Dependency Health Monitor (DHM)
Comprehensive health assessments for Python project dependencies.
Features
- Health Scoring: Weighted composite scores based on security, maintenance, community, and popularity
- Vulnerability Detection: Real-time scanning via OSV database with open vs fixed classification
- Maintenance Analysis: Identifies abandoned, deprecated, or archived packages
- License Evaluation: Categorizes licenses (permissive, copyleft, weak copyleft)
- Caching: SQLite-based caching reduces API calls and improves performance
- CI/CD Ready: Exit codes for pipeline integration
Installation
pip install dependency-health-monitor
Or install from source:
git clone https://github.com/jeremylaratro/dhm.git
cd dhm
pip install -e ".[dev]"
Quick Start
Command Line
# Scan current project
dhm scan
# Check a single package
dhm check requests
# Find alternatives for a problematic package
dhm alternatives urllib3
# Output as JSON for CI/CD
dhm scan -f json -o report.json
# Fail CI if high+ severity issues found
dhm scan --fail-on high
Python Library
import asyncio
from dhm import check, scan
async def main():
# Check a single package
report = await check("requests")
print(f"{report.package.name}: Grade {report.health.grade}")
print(f" Security: {report.health.security_score:.0f}")
print(f" Open vulnerabilities: {len(report.health.open_vulnerabilities)}")
# Scan a project directory
reports = await scan(".")
for r in reports:
if r.health.has_open_vulnerabilities:
print(f"⚠️ {r.package.name} has {len(r.health.open_vulnerabilities)} open vulns")
asyncio.run(main())
Synchronous API (for non-async contexts):
from dhm import check_sync, scan_sync
report = check_sync("flask")
print(f"Flask health: {report.health.grade} ({report.health.overall:.0f}/100)")
reports = scan_sync("/path/to/project")
unhealthy = [r for r in reports if r.health.is_concerning]
Health Score Algorithm
DHM calculates a composite health score using weighted components:
| Component | Weight | Data Sources |
|---|---|---|
| Security | 35% | OSV vulnerability database |
| Maintenance | 30% | PyPI release dates, GitHub activity |
| Community | 20% | Contributors, stars, PR merge rates |
| Popularity | 15% | pypistats.org download counts |
Grade Thresholds:
| Grade | Score | Meaning |
|---|---|---|
| A | ≥ 85 | Excellent - Well maintained, secure, popular |
| B | ≥ 75 | Good - Minor concerns, generally safe |
| C | ≥ 65 | Acceptable - Some issues, monitor closely |
| D | ≥ 55 | Concerning - Significant issues, consider alternatives |
| F | < 55 | Critical - Major problems, action required |
Vulnerability Classification
DHM distinguishes between open and fixed vulnerabilities:
- Open: Affects your installed version - action required
- Fixed: Was present in older versions but patched in yours - historical only
report = await check("aiohttp", version="3.13.3")
# Only shows vulnerabilities affecting version 3.13.3
for vuln in report.health.open_vulnerabilities:
print(f"🔴 {vuln.id}: {vuln.title}")
if vuln.fixed_version:
print(f" Fix: Upgrade to {vuln.fixed_version}")
Caching
DHM caches API responses to improve performance and reduce rate limiting:
| Data Type | TTL | Rationale |
|---|---|---|
| GitHub repo data | 24 hours | Metrics change slowly |
| PyPI metadata | 1 hour | Releases are occasional |
| Download stats | 6 hours | Updated daily |
| Vulnerabilities | 6 hours | Security-critical, stay current |
# View cache statistics
dhm cache --stats
# Clear all cached data
dhm cache --clear
# Remove only expired entries
dhm cache --cleanup
# Invalidate specific data
dhm cache --invalidate 'github:%'
CI/CD Integration
# GitHub Actions example
- name: Check dependency health
run: |
pip install dependency-health-monitor
dhm scan --fail-on high -f json -o dhm-report.json
- name: Upload report
uses: actions/upload-artifact@v3
with:
name: dependency-health-report
path: dhm-report.json
Environment Variables
| Variable | Description |
|---|---|
GITHUB_TOKEN |
GitHub API token for higher rate limits (5000/hr vs 60/hr) |
License
MIT - See LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dependency_health_monitor-0.3.0.tar.gz.
File metadata
- Download URL: dependency_health_monitor-0.3.0.tar.gz
- Upload date:
- Size: 158.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3dcfac29d123871982e10515294e0e4a4f72cdd5f6ee5d18ad5e752616ef24f1
|
|
| MD5 |
caaedb6a1a33206f00c4116249730aa3
|
|
| BLAKE2b-256 |
bf578507ac1795741d5bef59ded9196ace1401f9249bfe952218660cba87c9cc
|
Provenance
The following attestation bundles were made for dependency_health_monitor-0.3.0.tar.gz:
Publisher:
publish.yml on aradex-io/dhm
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dependency_health_monitor-0.3.0.tar.gz -
Subject digest:
3dcfac29d123871982e10515294e0e4a4f72cdd5f6ee5d18ad5e752616ef24f1 - Sigstore transparency entry: 1514218322
- Sigstore integration time:
-
Permalink:
aradex-io/dhm@2c09acf849d878246791c68176f10176a1067007 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/aradex-io
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2c09acf849d878246791c68176f10176a1067007 -
Trigger Event:
release
-
Statement type:
File details
Details for the file dependency_health_monitor-0.3.0-py3-none-any.whl.
File metadata
- Download URL: dependency_health_monitor-0.3.0-py3-none-any.whl
- Upload date:
- Size: 64.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ea9d76f0400bbc736434999f202866bf2814200986e81b6e8b5bb82c406173c6
|
|
| MD5 |
dbf2415af0ee43fc7f203a869ed2bce6
|
|
| BLAKE2b-256 |
34d38feb464510273d3d5955f1718d7bd96356318c92c16733a7ed236ae6959d
|
Provenance
The following attestation bundles were made for dependency_health_monitor-0.3.0-py3-none-any.whl:
Publisher:
publish.yml on aradex-io/dhm
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dependency_health_monitor-0.3.0-py3-none-any.whl -
Subject digest:
ea9d76f0400bbc736434999f202866bf2814200986e81b6e8b5bb82c406173c6 - Sigstore transparency entry: 1514218395
- Sigstore integration time:
-
Permalink:
aradex-io/dhm@2c09acf849d878246791c68176f10176a1067007 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/aradex-io
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2c09acf849d878246791c68176f10176a1067007 -
Trigger Event:
release
-
Statement type:
