dura-kit

v1.1.3

Published

2 days ago

Dependency Update Risk Analyzer

0High
0Medium
0Low

DURA - Dependency Update Risk Analyzer

Analyze dependency update risks in your projects and make informed decisions about which dependencies are safe to update.

Installation

NPX (No Installation Required)

npx dura-kit https://github.com/facebook/react

Global Installation

npm install -g dura-kit
dura https://github.com/facebook/react

Local Installation

npm install --save-dev dura-kit
npx dura https://github.com/facebook/react

Usage

Basic Usage

# Analyze a repository
dura <github-repo-url> [branch] [options]

# Examples
dura https://github.com/expressjs/express
dura https://github.com/expressjs/express develop
dura https://github.com/facebook/react main

Output Formats

Summary (Default)

dura https://github.com/expressjs/express

Shows a concise summary of high-risk and breaking changes.

Table Format

dura https://github.com/expressjs/express --table

Displays all dependencies in a detailed table format with risk scores.

JSON Format

dura https://github.com/expressjs/express --json

Outputs machine-readable JSON for integration with other tools.

Combined Formats

dura https://github.com/expressjs/express --json --table
dura https://github.com/expressjs/express --table --summary

All flags are additive and can be combined.

Debug Options

Verbose Mode

dura https://github.com/expressjs/express --verbose

Shows detailed progress information and warnings.

Debug Mode

dura https://github.com/expressjs/express --debug

Enables comprehensive debug logging including network requests and internal processing details.

Understanding Risk Levels

DURA categorizes dependency updates into three risk levels:

High Risk

Major version updates (breaking changes)
Known security vulnerabilities
Deprecated packages
Significant API changes

Recommendation: Review migration guides, update tests, and deploy to staging before production.

Medium Risk

Minor version updates with behavior changes
New features that may affect existing functionality
Dependencies with incomplete documentation

Recommendation: Review changelogs and test thoroughly.

Low Risk

Patch updates
Bug fixes only
Well-maintained dependencies with stable APIs

Recommendation: Generally safe to update with standard testing.

Output Examples

Summary Output

Confirmed breaking changes (2):
- merge-descriptors (prod) → confirmed breaking change
- eslint (dev) → major update with breaking changes

High-risk updates (3):
- accepts (prod) → major version gap
- cookie (prod) → major version gap
- fresh (prod) → major version gap

Medium-risk updates (4):
- connect-redis (dev) → major version update
- marked (dev) → major version update

Table Output

+---------------+------+--------------+-----------------+--------+-------+----------------+-----------+-----------+
| name          | type | currentRange | currentResolved | latest | diff  | breakingSignal | riskScore | riskLevel |
+---------------+------+--------------+-----------------+--------+-------+----------------+-----------+-----------+
| express       | prod | ^4.18.2      | 4.18.2          | 5.0.0  | major | confirmed      | 75        | high      |
| lodash        | prod | ^4.17.20     | 4.17.20         | 4.17.21| patch | unknown        | 5         | low       |
+---------------+------+--------------+-----------------+--------+-------+----------------+-----------+-----------+

JSON Output

[
  {
    "name": "express",
    "type": "prod",
    "currentRange": "^4.18.2",
    "currentResolved": "4.18.2",
    "latest": "5.0.0",
    "diff": "major",
    "breakingChange": {
      "breaking": "confirmed",
      "confidenceScore": 0.9,
      "signals": {
        "strong": ["Breaking: Removed support for..."],
        "medium": [],
        "weak": []
      }
    },
    "riskScore": 75,
    "riskLevel": "high",
    "githubRepoUrl": "https://github.com/expressjs/express"
  }
]

Command Reference

Arguments

<repoUrl> (required) - GitHub repository URL (e.g., https://github.com/expressjs/express)
[branch] (optional) - Git branch to analyze (default: main)

Options

--json - Output in JSON format
--table - Display results in table format
--summary - Show summary (enabled by default)
--verbose - Enable verbose logging
--debug - Enable debug logging
--help - Display help information
--version - Display version number

Use Cases

Before Updating Dependencies

# Check what needs attention before running npm update
dura https://github.com/yourorg/yourproject

Code Review

# Analyze dependencies changed in a PR
dura https://github.com/yourorg/yourproject feature-branch

Security Audits

# Generate a report of all dependency risks
dura https://github.com/yourorg/yourproject --json > audit-report.json

How It Works

Fetches Repository Data - Retrieves package.json and lock files from the specified repository
Analyzes Dependencies - Examines both direct and transitive dependencies
Checks for Updates - Compares current versions against latest available versions
Detects Breaking Changes - Scrapes GitHub releases and changelogs for breaking change indicators
Calculates Risk Scores - Assigns risk levels based on version differences, breaking changes, and security issues
Generates Report - Provides actionable recommendations for each dependency

Breaking Change Detection

DURA analyzes GitHub releases and changelogs to detect breaking changes using multiple signals:

Strong Signals: Explicit "BREAKING CHANGE" or "Breaking:" in release notes
Medium Signals: Major version bumps, API removals, deprecations
Weak Signals: "may break", "could affect", behavioral changes

Confidence scores range from 0.0 to 1.0, with 0.8+ indicating confirmed breaking changes.

Risk Score Calculation

Risk scores are calculated based on:

Version Difference (0-40 points)
- Same version: 0 points
- Patch: 5 points
- Minor: 20 points
- Major: 40 points
Breaking Change Signal (0-30 points)
- Confirmed: 30 points
- Likely: 20 points
- Unknown: 0 points
Security Vulnerabilities (0-30 points)
- Known vulnerabilities: 30 points
- No known issues: 0 points

Total scores are mapped to risk levels:

0-15: Low Risk
16-50: Medium Risk
51-100: High Risk

Limitations

Requires publicly accessible GitHub repositories
Relies on publicly available release notes and changelogs
May not detect all breaking changes if not documented
Does not analyze code changes directly
Network-dependent (requires internet connection)

Troubleshooting

"Repository not found"

Ensure the repository URL is correct and publicly accessible. Private repositories are not currently supported.

"Rate limit exceeded"

GitHub API rate limits may be reached. Wait a few minutes and try again, or use authenticated requests (planned feature).

"Cannot parse package.json"

Verify the repository contains a valid package.json file in the root or specified branch.

Slow Analysis

Large repositories with many dependencies may take longer to analyze. Use --verbose to see progress.

Contributing

Contributions are welcome! Please see our Contributing Guide for details.

Development Setup

git clone https://github.com/yourorg/dura
cd dura
npm install

# Link for local development
cd cli
npm link

# Run locally
dura https://github.com/facebook/react

License

MIT License - see LICENSE file for details.

Related Projects

CodeRabbit Integration - AI-powered code reviews with DURA
GitHub Actions - Automated dependency analysis in CI/CD
MCP Server - Use DURA with Cline CLI

Credits

Built with:

Commander.js - CLI framework
Crawlee - Web scraping
Playwright - Browser automation
Ora - Terminal spinners
Chalk - Terminal colors

Support

For questions, issues, or feature requests:

Open an Issue
Start a Discussion
Read the Documentation

Made with <3 for safer dependency updates.