Cross-ecosystem dependency auditor for Python + Node: catches undeclared imports, unused deps, unpinned specifiers, and lockfile drift in one offline, CI-ready command.
Project description
kryptorious-depguard
Cross-ecosystem dependency auditor for Python + Node. One command, offline, CI-ready — catches the dependency problems your linter can't see:
- Undeclared imports — code imports a package you never declared (
import requestswith norequestsinrequirements.txt). Breaks in a clean install. - Unused dependencies — declared in
requirements.txt/package.jsonbut never imported. Bloats installs and attack surface. - Unpinned specifiers —
numpy(any) or^1.2.3(floating). Non-reproducible builds. - Lockfile drift —
package.jsondisagrees withpackage-lock.json/yarn.lock.
Why this exists
node-depcheck is Node-only. pipreqs regenerates a requirements file but doesn't audit it. pyflakes F401 only catches unused local names. No lightweight, offline, single-tool audits both ecosystems and emits SARIF for GitHub code-scanning in one pass. depguard does.
Install
pip install kryptorious-depguard
Usage
Audit the current directory (both ecosystems):
depguard check .
Python only, fail CI on any high-severity finding:
depguard check . --python --no-node --fail-on high
Emit SARIF for GitHub code-scanning:
depguard check . --format sarif --output depguard.sarif
JSON for custom pipelines:
depguard check . --format json
GitHub Action (inline)
- name: Dependency audit
run: |
pip install kryptorious-depguard
depguard check . --format sarif --output depguard.sarif --fail-on high
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: depguard.sarif
Exit codes
--fail-on {high,medium,low,never} controls the CI gate. Default high: exits 1 when any high-severity finding exists (undeclared imports).
Premium
Free tier includes everything above. Premium ($9 lifetime) adds cloud SARIF upload to code-scanning dashboards, scheduled baseline diffs, and HTML trend reports: https://kryptorious.gumroad.com/l/jbvet
License
MIT — Kryptorious Quantum Biosciences, Inc.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file kryptorious_depguard-1.1.1.tar.gz.
File metadata
- Download URL: kryptorious_depguard-1.1.1.tar.gz
- Upload date:
- Size: 14.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cb90fc5652b5faf75b87459f5d5eeff55e29a03bcce23758012d86c53ab3f77b
|
|
| MD5 |
889d2c1267bf8548ea55e1cdc43d1289
|
|
| BLAKE2b-256 |
46a8a4a4ba533231155d30fa15085bb3600652456046e4ad1a05048474306105
|
File details
Details for the file kryptorious_depguard-1.1.1-py3-none-any.whl.
File metadata
- Download URL: kryptorious_depguard-1.1.1-py3-none-any.whl
- Upload date:
- Size: 13.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bab950e0962a4a5e9089a9085f5343142d381199a6bf2478eef385603f58c681
|
|
| MD5 |
c5d6307ccef2cc78db6a0dbd82b785ea
|
|
| BLAKE2b-256 |
2f4916a95b32fdee10abd31103f4f2b558d77f1f873da80203dd17ab7471f8b5
|