depstree 0.1.0

Dependency analyzer for Python, Node, Rust, Go, Java, Ruby, and PHP projects.

Depstree

Dependency analyzer for any project.

---

Depstree scans real project manifests, normalizes dependencies across ecosystems, and turns them into readable terminal reports, dependency trees, audits, diffs, exports, and graph artifacts. It supports Python, Node.js, Rust, Go, Java Maven/Gradle, Ruby, and PHP projects without requiring the target project to install anything first.

• Multi-ecosystem scanning - detects pyproject.toml, requirements*.txt, package.json, Cargo.toml, go.mod, pom.xml, Gemfile, composer.json, and more.
• Readable dependency trees - renders grouped runtime, dev, optional, peer, build, and transitive dependency views with Rich.
• Risk audits - flags unpinned versions, wildcard specs, local path dependencies, git/url dependencies, duplicate specs, and prerelease usage.
• Project diffs - compares two directories or manifests and shows added, removed, and changed dependencies.
• Portable exports - writes JSON, CSV, CycloneDX-style SBOM, HTML reports, DOT, SVG, and graph JSON.
• Registry checks - checks latest versions for Python and npm dependencies when network access is available.

Installation

pip install depstree

For local development:

python3 -m venv .venv
. .venv/bin/activate
pip install -e .

Usage

Scan the current project:

depstree scan .

Print a dependency tree:

depstree tree .

Audit for risky dependency declarations:

depstree audit . --strict

Export an SBOM:

depstree export . --format sbom --output sbom.json

Create an SVG graph:

depstree graph . --format svg --output deps.svg

Compare two project states:

depstree diff ./before ./after

Commands

Command	Description
depstree scan <path>	Detect manifests and summarize dependencies.
depstree tree <path>	Render a grouped dependency tree.
depstree audit <path>	Report risky specs and duplicate declarations.
depstree licenses <path>	Show dependency license metadata when manifests or lockfiles expose it.
depstree diff <old> <new>	Compare two projects or manifests.
depstree export <path>	Export dependency data as JSON, CSV, SBOM, or HTML.
depstree graph <path>	Generate DOT, SVG, HTML, or JSON graph output.
depstree explain <package> <path>	Show where a dependency is declared and under which scope.
depstree outdated <path>	Check latest registry versions for Python and npm packages.

Configuration

Depstree works without a config file. It skips noisy generated directories such as .git, .venv, node_modules, dist, build, and target. Use command options to choose export formats, include or hide transitive dependencies, filter outdated checks by ecosystem, or make audits fail CI with --strict.

License

MIT License. See LICENSE.