rot-detector
v1.0.1
Published
π§ CLI tool to detect dependency rot in your projects - find abandoned, unmaintained dependencies
Maintainers
notsointrestingReadme
π§ Dependency Rot Detector
Find abandoned dependencies before they become security nightmares.
A CLI tool that scans your package.json (NPM) or requirements.txt (Python) to detect software rot - dependencies that are abandoned, poorly maintained, or pose supply chain risks.
π€ The Problem
npm audit and Snyk tell you about known CVEs. They DON'T tell you:
- π A library hasn't been updated in 4 years
- π€ A package has only 1 maintainer (bus factor risk)
- βοΈ A dependency uses a deprecated license
This is "Software Rot" - a security bomb waiting to explode. π£
π Quick Start
# Install globally
npm install -g rot-detector
# Scan your project
rot-detector scan .
# Or use npx (no install)
npx rot-detector scan ./package.jsonπ Example Output
π§ Dependency Rot Detector
Scanned: ./package.json
ββββββββββββββββββββββββββ¬βββββββββ¬βββββββββββββββββ¬ββββββββββββββ¬ββββββββββββββββ¬βββββββββββββ
β Package β Score β Last Update β Maintainers β License β Status β
ββββββββββββββββββββββββββΌβββββββββΌβββββββββββββββββΌββββββββββββββΌββββββββββββββββΌβββββββββββββ€
β abandoned-lib β π΄ 15 β 4 years ago β 1 β GPL-2.0 β Critical β
β old-but-ok β π‘ 65 β 8 months ago β 2 β MIT β Warning β
β react β π’ 95 β 2 days ago β 15 β MIT β Healthy β
ββββββββββββββββββββββββββ΄βββββββββ΄βββββββββββββββββ΄ββββββββββββββ΄ββββββββββββββββ΄βββββββββββββ
Summary: π’ 1 Healthy | π‘ 1 Warning | π΄ 1 Criticalπ Features
| Feature | Description |
|---------|-------------|
| π NPM + PyPI Support | Scans package.json and requirements.txt |
| π Health Scoring | 0-100 score based on freshness, maintainers, license |
| π¨ Beautiful CLI Output | Color-coded risk indicators |
| π JSON Export | --json flag for CI/CD integration |
| β‘ GitHub Integration | Optional enhanced repo analysis |
| π¨ Threshold Checks | Fail builds if score drops below threshold |
βοΈ CLI Options
rot-detector scan [path] [options]
Options:
--json Output results as JSON
--threshold <score> Fail if any dependency scores below threshold
--github-token <tok> GitHub token for enhanced repo analysis
--no-github Skip GitHub analysis (faster)
--dev Include devDependencies
-v, --verbose Verbose outputπ Health Score Breakdown
Each dependency is scored 0-100 based on:
| Factor | Weight | Scoring | |--------|--------|---------| | Freshness | 40% | < 6 months = 100, > 3 years = 5 | | Maintainers | 30% | 5+ = 100, 1 = 40, 0 = 10 | | License | 30% | OSI approved = 100, Unknown = 60 |
Risk Levels
- π’ Healthy (80-100): Well maintained, safe to use
- π‘ Warning (50-79): Review recommended
- π΄ Critical (0-49): Replace immediately!
π§ CI/CD Integration
GitHub Actions
name: Dependency Health Check
on: [push, pull_request]
jobs:
rot-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '18'
- name: Check for dependency rot
run: npx rot-detector scan --threshold 50Pre-commit Hook
# .husky/pre-commit
npx rot-detector scan --threshold 60π οΈ Development
# Clone the repo
git clone https://github.com/notsointresting/rot-detector.git
cd rot-detector
# Install dependencies
npm install
# Run in development mode
npm run dev -- scan ./sample/package.json
# Build for production
npm run build
# Run tests
npm testπ€ Contributing
Contributions are welcome! Feel free to:
- π Report bugs
- π‘ Suggest features
- π Submit pull requests
π License
MIT Β© notsointresting