Escape Dependency Hell โ Scan, audit, and fix your Python dependencies in one command.
Project description
๐ก๏ธ depwarden
Escape Dependency Hell โ Scan, audit, and fix your Python dependencies in one command.
What is depwarden?
depwarden is a CLI tool that scans your Python project's dependencies for:
- ๐ Security vulnerabilities โ CVE scanning via the OSV.dev database with clickable advisory links
- ๐ฆ Dependency bloat โ how many sub-dependencies each package pulls in
- ๐ Health scoring โ 0-100 project health rating with letter grades (A-F)
- ๐๏ธ Unused dependencies โ packages declared but never imported (project-wide)
- โ Missing dependencies โ modules imported but not declared
- ๐ก Smart suggestions โ modern alternatives for common packages
- ๐ ๏ธ Actionable next steps โ copy-paste commands to fix every issue
- ๐ Clickable CVE links โ Ctrl+Click vulnerability IDs to open full advisories in your browser
Quick Start
pip install depwarden
# Basic scan (security + bloat)
depwarden scan .
# Full scan (includes unused/missing detection)
depwarden scan . --full
# JSON output for CI/CD pipelines
depwarden scan . --format json
# Fail CI if HIGH+ vulnerabilities found
depwarden scan . --fail-on high
# Exclude specific directories from scanning
depwarden scan . --full --exclude migrations --exclude scripts
Example Output
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ๐ก๏ธ depwarden โ Escape Dependency Hell โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
๐ Project: /home/user/myproject
๐ฆ Dependencies scanned: 7
โญโโโโโโโโโโ ๐ Health Score โโโโโโโโโโโฎ
โ 100 / 100 Grade: A โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
๐ฆ Dependency Weight (Top 10)
โโโโโโโโโโโโณโโโโโโโโโโณโโโโโโโโโโโณโโโโโโโโโ
โ Package โ Version โ Pulls In โ Status โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ typer โ 0.24.1 โ 7 โ โ
OK โ
โ httpx โ 0.28.1 โ 7 โ โ
OK โ
โ pydantic โ 2.12.5 โ 4 โ โ
OK โ
โ rich โ 14.3.3 โ 2 โ โ
OK โ
โโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโ
โ
No issues found โ dependencies are healthy!
Why depwarden?
AI IDEs catch import errors in your editor. depwarden catches dependency health issues in your CI/CD pipeline โ where no IDE exists.
| Feature | pip-audit | deptry | safety | depwarden |
|---|---|---|---|---|
| CVE scanning | โ | โ | โ | โ |
| Clickable CVE links | โ | โ | โ | โ |
| Bloat analysis | โ | โ | โ | โ |
| Unused detection | โ | โ | โ | โ |
| Health score | โ | โ | โ | โ |
| Interactive loader | โ | โ | โ | โ |
| CVE ignore list | โ | โ | โ | โ |
| Free, no API key | โ | โ | โ | โ |
Configuration
depwarden can be configured via pyproject.toml so you don't need to pass flags every time:
[tool.depwarden]
# Directories to exclude from import scanning
exclude = ["tests", "docs", "migrations", "scripts"]
# Automatically fail CI at this severity level
fail_on = "high"
# Whether to include dev dependencies in analysis
include_dev_deps = true
# Packages to ignore in unused dependency detection
# Useful for CLI tools (uvicorn), meta-packages (langchain), or runtime-only deps
ignore_unused = ["uvicorn", "gunicorn", "langchain"]
# Specific vulnerability IDs to ignore (accepted risk)
# Use the exact GHSA/PYSEC/CVE ID shown in the scan output
ignore_vulns = ["PYSEC-2022-43012", "GHSA-r9hx-vwmv-q579"]
Default Excludes
When running --full scans, depwarden automatically skips these directories to avoid false positives from test fixtures and example code:
tests/,test/โ test directoriesdocs/โ documentationexamples/โ example/demo codebenchmarks/โ performance benchmarksscripts/โ utility scripts
You can override these defaults in [tool.depwarden] or add more via --exclude.
CLI Reference
depwarden scan [PATH] [OPTIONS]
Arguments:
PATH Path to the project (default: current dir)
Options:
--full Include unused/missing dependency detection
--format, -f TEXT Output format: 'rich' or 'json' (default: rich)
--fail-on TEXT Exit code 1 on issues. Values:
Security: critical, high, medium, low
Quality: unused, bloat, any
--no-security Skip vulnerability scanning (useful offline)
--no-bloat Skip bloat analysis
--exclude, -e TEXT Directories to exclude (can be repeated)
depwarden version Show version info
CI/CD Integration
GitHub Actions
name: Dependency Health Check
on: [push, pull_request]
jobs:
depwarden:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install depwarden
- run: pip install -r requirements.txt
- run: depwarden scan . --full --fail-on high
GitLab CI
depwarden:
stage: test
image: python:3.12-slim
script:
- pip install depwarden
- pip install -r requirements.txt
- depwarden scan . --full --fail-on high --format json
allow_failure: false
Pre-commit Hook
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: depwarden
name: depwarden
entry: depwarden scan . --fail-on critical
language: python
additional_dependencies: [depwarden]
always_run: true
pass_filenames: false
Exit Codes
| Code | Meaning |
|---|---|
0 |
All healthy, no issues |
1 |
Issues found (vulnerabilities, unused deps, etc.) |
2 |
Configuration error (bad path, missing deps file) |
How It Works
- Reads your
pyproject.toml,requirements.txt, orsetup.cfg - Queries the OSV.dev database for known CVEs (free, no API key)
- Analyzes each dependency's sub-dependency tree for bloat
- Scans all
.pyfiles using Python's AST to find actual imports (with--full) - Compares declared vs. imported to find unused and missing dependencies
- Scores your project 0-100 and outputs a beautiful terminal report or JSON
Interactive Experience
depwarden features a custom loading animation during scans:
[ โข_โข ] Contacting OSV.dev vulnerability database...
[ o_o ] Calculating transitive dependency bloat...
[ O_O ] Parsing Abstract Syntax Trees...
[ -_- ] Finalizing health scores...
Vulnerability IDs in the output are clickable hyperlinks โ Ctrl+Click (or Cmd+Click on Mac) any CVE/GHSA ID to open the full advisory in your browser.
Supported Dependency Files
pyproject.toml(PEP 621 + Poetry formats, including optional/dev dependencies)requirements.txt(including-rrecursive includes)setup.cfg
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
depwarden-0.1.0.tar.gz
(4.5 MB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
depwarden-0.1.0-py3-none-any.whl
(29.1 kB
view details)
File details
Details for the file depwarden-0.1.0.tar.gz.
File metadata
- Download URL: depwarden-0.1.0.tar.gz
- Upload date:
- Size: 4.5 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40199101fa0935ca15fbac6d74d4f2f6b8e7b8ae7fa8d1b059e2d67a3933c974
|
|
| MD5 |
29e35b682ac1b1a87d4b294fe6395e0a
|
|
| BLAKE2b-256 |
06eba987dc681aeca4158d400ef9e5a673ddc076754ffe28e88190167ea0db66
|
File details
Details for the file depwarden-0.1.0-py3-none-any.whl.
File metadata
- Download URL: depwarden-0.1.0-py3-none-any.whl
- Upload date:
- Size: 29.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
33d6cc4736788f99250ee0f26ff2c72a083d598d5c764b2344ac1a2e7ecfea69
|
|
| MD5 |
a0952e5fa19e3eb51feb43aaf37fecf6
|
|
| BLAKE2b-256 |
a7b8dd1daf0e6b1104beed46427e552061c1d0d18dbd3448ee941c926afda3c8
|
