upgrade-impact-analyzer 2.0.0b1

Intelligent dependency upgrade risk analyzer with usage-centric scoring

🔍 Upgrade Impact Analyzer

Intelligent dependency upgrade risk analysis with AI-powered insights

Upgrade Impact Analyzer goes beyond simple SemVer rules. It analyzes your actual code usage against library changelogs, API changes, and known vulnerabilities to tell you exactly how risky an upgrade really is.

✨ Key Features

Feature	Description
Usage-Centric Scoring	Risk scored by actual code usage, not just version numbers
AI-Powered Analysis	LLM changelog summarization (OpenAI/Anthropic)
Security Scanning	CVE detection via pip-audit and OSV.dev
Health Scoring	A-F grades based on maintenance, popularity, quality
SBOM Generation	CycloneDX 1.5 and SPDX 2.3 formats
License Auditing	Compliance checking with deny lists
Monorepo Support	Analyze multiple projects with shared deps
Custom Policies	Define risk thresholds per package
Multi-Format Output	Terminal, JSON, SARIF, JUnit XML, Markdown
CI/CD Integration	GitHub Actions, pre-commit hooks

🚀 Quick Start

# Install
pip install upgrade-impact-analyzer

# Analyze your project
upgrade-analyzer analyze

# With security scanning
upgrade-analyzer analyze --security

# Generate SBOM
upgrade-analyzer sbom --output sbom.json

# Health scoring
upgrade-analyzer health

# AI-powered analysis (requires OPENAI_API_KEY)
upgrade-analyzer ai-analyze --package requests --from 2.28.0 --to 2.31.0

📦 Installation

# Basic installation
pip install upgrade-impact-analyzer

# With security scanning support
pip install upgrade-impact-analyzer[security]

# With all optional features
pip install upgrade-impact-analyzer[all]

💡 Usage

Basic Analysis

upgrade-analyzer analyze                              # Auto-detect files
upgrade-analyzer analyze --project /path/to/project   # Specify path
upgrade-analyzer analyze --format sarif --output results.sarif  # SARIF output

🤖 AI-Powered Analysis

# Requires OPENAI_API_KEY or ANTHROPIC_API_KEY
export OPENAI_API_KEY="sk-..."

upgrade-analyzer ai-analyze \
  --package requests \
  --from 2.28.0 \
  --to 2.31.0

📊 Health Scoring

upgrade-analyzer health                    # Show A-F grades
upgrade-analyzer health --output health.md # Save report

📋 SBOM Generation

upgrade-analyzer sbom --output sbom.json          # CycloneDX
upgrade-analyzer sbom --format spdx --output sbom.spdx.json  # SPDX

📜 License Auditing

upgrade-analyzer licenses                          # Basic audit
upgrade-analyzer licenses --deny AGPL-3.0          # Deny specific

🏢 Monorepo Support

upgrade-analyzer monorepo --root /path/to/monorepo
upgrade-analyzer monorepo --output monorepo-report.md

📋 Custom Risk Policies

upgrade-analyzer init-policies   # Create .upgrade-policies.toml

Example policy:

[[policies]]
name = "Critical Package Stability"
packages = ["django", "flask", "sqlalchemy"]
max_semver_major = 1
require_approval = true

📊 All CLI Commands

Command	Description
analyze	Analyze upgrade risks (main command)
sbom	Generate SBOM (CycloneDX/SPDX)
health	Calculate health scores (A-F grades)
licenses	Audit dependency licenses
monorepo	Analyze monorepo projects
ai-analyze	AI-powered changelog analysis
scan-security	Vulnerability scanning
detect	Detect dependency files
init-policies	Create policies template
clear-cache	Clear cached data
version	Show version info

🔧 Configuration

Environment Variables

Variable	Description
GITHUB_TOKEN	GitHub API token for higher rate limits
OPENAI_API_KEY	OpenAI API key for AI analysis
ANTHROPIC_API_KEY	Anthropic API key for AI analysis

🔄 GitHub Actions

- run: upgrade-analyzer analyze --format sarif --output results.sarif
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

📄 License

MIT License - see LICENSE for details.