Dependency Upgrade Advisor: scan and safely upgrade Python project dependencies.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for saran-damm from gravatar.com saran-damm

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

depup — Dependency Upgrade Advisor

PyPI Version Python Versions License: MIT CI Documentation

depup is a production-grade Python CLI that helps developers understand, audit, and safely upgrade dependencies across projects and environments.

It focuses on:

  • correctness
  • visibility
  • CI-friendliness
  • minimal surprises

Why Depup?

Managing Python dependencies looks simple—until it isn’t.

Most teams eventually face at least one of these problems:

  • Dependencies silently drift out of date
  • Upgrading one package breaks others
  • CI pipelines fail due to incompatible versions
  • Security fixes are delayed because upgrades feel risky
  • Different projects use different dependency formats
  • There’s no clear visibility into what will change before upgrading

Depup exists to make dependency upgrades safe, visible, and intentional.

The Problem with Existing Tools

Tool Limitation
pip list --outdated No semantic context, no safety
pip-tools / poetry update Updates blindly, often breaking things
Dependabot Reactive, PR-heavy, noisy
Manual upgrades Time-consuming, error-prone

Most tools answer “what is outdated?” Depup answers “what should I upgrade, why, and how risky is it?”

What Depup Does Differently?

Depup is designed as a dependency intelligence layer, not just an updater.

Deep Visibility Before Change

  • See declared vs latest versions

  • Understand semantic impact (patch / minor / major)

  • Works across:

    • requirements.txt
    • pyproject.toml (PEP 621 + Poetry)
    • Pipfile
    • Poetry.lock, Pipfile.lock
    • Installed environments (--env)

Safety-First Upgrades

  • Dry-run support (--dry-run)
  • Selective upgrades (--only-patch, --only-minor, --only-major)
  • Package-level filtering
  • No blind rewriting of dependency files

CI & Automation Ready

  • --check mode with proper exit codes
  • JSON output for pipelines
  • Markdown reports for audits and reviews
  • Designed for GitHub Actions, GitLab CI, Azure DevOps

Built for AI-Native Workflows

Depup is architected to integrate with:

  • AI IDE agents (Cursor, Windsurf, Continue)
  • MCP-based tooling
  • Future AI-driven upgrade analysis and code fixes

This makes depup future-proof, not just useful today.

Where Depup Fits in Your Workflow

flowchart LR
    Dev[Developer / CI]
    Scan[depup scan]
    Analyze[Version Analysis]
    Plan[Upgrade Plan]
    Upgrade[depup upgrade]
    Report[JSON / Markdown Reports]

    Dev --> Scan
    Scan --> Analyze
    Analyze --> Plan
    Plan --> Upgrade
    Plan --> Report

Depup fits before upgrades — exactly where most failures happen.

Who depup is for?

  • Individual developers who want safer upgrades
  • Teams managing multiple Python projects
  • CI/CD pipelines that need deterministic dependency checks
  • Open-source maintainers avoiding breaking releases
  • AI-assisted workflows needing structured dependency data

Features

Implemented (v0.9.0)

  • Scan dependency files:
    • requirements.txt
    • pyproject.toml (PEP 621 + Poetry)
    • Pipfile
    • Poetry.lock (read-only)
    • Pipfile.lock (read-only)
  • Scan installed environments (--env)
  • Fetch latest versions from PyPI
  • Semantic update classification:
    • patch / minor / major / none
  • JSON output (--json)
  • Markdown reports (--report)
  • CI-friendly check mode (--check)
  • Deterministic upgrade planning
  • Safe upgrade execution (depup upgrade)

Planned (towards v1.0.0)

  • Smarter conflict detection
  • Editable upgrade policies
  • AI-assisted changelog summaries
  • IDE / MCP agent integration

Installation

pip install depup

or with uv:

uv tool install depup

Usage

Scan project dependencies

depup scan

Include latest versions from PyPI

depup scan --latest

Fail CI if outdated dependencies exist

depup scan --latest --check

Scan installed environment

depup scan --env --latest

Generate JSON output

depup scan --latest --json

Generate Markdown report

depup scan --latest --report deps.md

Upgrading dependencies

Preview upgrades (safe):

depup upgrade --dry-run

Apply upgrades:

depup upgrade

Upgrade only patch updates:

depup upgrade --only-patch

Upgrade environment packages:

depup upgrade --env

Architecture

flowchart LR
    CLI[CLI -Typer]
    Parser[Dependency Parsers]
    Env[Environment Scanner]
    Scanner[Version Scanner]
    Planner[Upgrade Planner]
    Executor[Upgrade Executor]
    Reports[Reports / JSON / Markdown]

    CLI --> Parser
    CLI --> Env
    Parser --> Scanner
    Env --> Scanner
    Scanner --> Planner
    Planner --> Executor
    Planner --> Reports

Testing

pytest -q

All critical components are unit tested.

Versioning Philosophy

  • 0.x → Rapid iteration, APIs may evolve
  • 0.9.x → Feature-complete, stable, CI-ready
  • 1.0.0 → API freeze, backward compatibility guarantees

License

MIT License — see LICENSE.

Contributing

Issues, PRs, and discussions are welcome. Please keep changes small and well-tested.

Acknowledgements

Built with:

  • Typer
  • Rich
  • packaging
  • requests

Inspired by real-world CI and dependency pain.

Detailed documentation available at:

https://saran-damm.github.io/depup/

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for saran-damm from gravatar.com saran-damm

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

This version

0.9.0

0.8.0

0.7.0

0.6.0

0.5.0

0.4.0

0.3.1

0.3.0

0.2.7

0.2.0

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

depup-0.9.0.tar.gz (46.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

depup-0.9.0-py3-none-any.whl (22.1 kB view details)

Uploaded Python 3

File details

Details for the file depup-0.9.0.tar.gz.

File metadata

  • Download URL: depup-0.9.0.tar.gz
  • Upload date:
  • Size: 46.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for depup-0.9.0.tar.gz
Algorithm Hash digest
SHA256 23ae9bf0b77e9443adb7c85a5b7172911c33b7973c06284465b84ba0a77b7020
MD5 bba59f4eab9a827148afd7d41b168821
BLAKE2b-256 980ebb3d171e38c0c5641bde204268bf46665479623407a32db4fabecdb97553

See more details on using hashes here.

Provenance

The following attestation bundles were made for depup-0.9.0.tar.gz:

Publisher: python-publish.yml on saran-damm/depup

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file depup-0.9.0-py3-none-any.whl.

File metadata

  • Download URL: depup-0.9.0-py3-none-any.whl
  • Upload date:
  • Size: 22.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for depup-0.9.0-py3-none-any.whl
Algorithm Hash digest
SHA256 152492a729fde95aef9abf6f85c4df2d10398e9225825f0c7d2555cdc61907df
MD5 abb03e6490a7e293634891f743fd7263
BLAKE2b-256 e459f9aff92ebfba97a22a9fc5f8478bc007fc8717dab3aaf32f33d4a810b52b

See more details on using hashes here.

Provenance

The following attestation bundles were made for depup-0.9.0-py3-none-any.whl:

Publisher: python-publish.yml on saran-damm/depup

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page