Skip to content

Diagnose whether your software dependency libraries are maintained.

License

Notifications You must be signed in to change notification settings

kyoshidajp/dep-doctor

Repository files navigation

dep-doctor Coverage Status Go Reference

dep-doctor is a tool to diagnose whether your software dependency libraries are maintained.

Today, most software relies heavily on external libraries. Vulnerabilities in those libraries can be detected by vulnerability scanners (dependabot, trivy, Grype, etc) if they are publicly available.

However, some libraries have archived their source code repositories or have had their development stopped, although not explicitly. dep-doctor will notify you of those libraries in the dependencies file.

overview

Support dependencies files

language package manager dependencies file (e.g.) status
Dart pub pubspec.lock ✔️
Erlang/Elixir mix mix.lock ✔️
Go golang go.mod ✔️
Java gradle gradle.lockfile (later)
Java maven pom.xml (later)
JavaScript npm package-lock.json ✔️
JavaScript yarn yarn.lock ✔️
PHP composer composer.lock ✔️
Python pip requirements.txt ✔️
Python pipenv Pipfile.lock ✔️
Python poetry poetry.lock ✔️
Ruby bundler Gemfile.lock ✔️
Rust cargo Cargo.lock ✔️
Swift cocoapods Podfile.lock ✔️

Support repository hosting services

Only GitHub.com

Install

Homebrew (macOS and Linux)

$ brew tap kyoshidajp/dep-doctor
$ brew install kyoshidajp/dep-doctor/dep-doctor

Binary packages

Releases

How to use

GITHUB_TOKEN must be set as an environment variable before execution.

Usage:
  dep-doctor diagnose [flags]

Flags:
      --disable-cache    without using cache
  -f, --file string      dependencies file path
  -h, --help             help for diagnose
  -i, --ignores string   ignore dependencies (separated by a space)
  -p, --package string   package manager
      --strict           exit with non-zero if warnings exist
  -y, --year int         max years of inactivity (default 5)

For example:

$ dep-doctor diagnose --package bundler --file /path/to/Gemfile.lock
concurrent-ruby
dotenv
faker
i18n
method_source
paperclip
......
[error] paperclip (archived): https://github.com/thoughtbot/paperclip
Diagnosis completed! 6 dependencies.
1 error, 0 warn (0 unknown), 0 info (0 ignored)

Report level

level e.g.
error Source code repository is already archived.
warn Source code repository is not active or unknown.
info Other reasons. (specified to be ignored)

Useful options

--year

The maximum number of blank years to be considered maintained. A source code repository is considered maintained if it has been committed within this number of years.

The default is 5 years, but if longer is desired, for example

$ dep-doctor diagnose --package bundler --file /path/to/Gemfile.lock --year 7

In the above case, if there are commits within the last 7 years, it is considered to be maintained.

--ignores

You can specify libraries not to notify you of errors or warnings. This may be useful if you plan to address the issue in the near future but wish to ignore it at this time.

Please specify this option with the understanding that there is a risk.

If there is more than one, you can specify each one separated by a space as follows.

$ dep-doctor diagnose --package bundler --file /path/to/Gemfile.lock \
  --ignores "lib1 lib2 lib3"

--disable-cache

When a status result is retrieved from the source code repository, the URL is kept in a file as a cache (.dep-doctor.yml). Normally, the repository URL is not changed frequently. To speed up the running, this cache is referenced on the second and subsequent runs.

With the --disable-cache option, this cache is not referenced. It always retrieves the latest source code URL from the package registry.

GitHub Actions

Installs an dep-doctor binary for Linux(x86_64) into /usr/local/bin. This action runs install only.

jobs:
  diagnose:
    name: dep-doctor
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: kyoshidajp/dep-doctor@v1
        with:
          version: v1.3.0 # or latest
      - run: dep-doctor diagnose --package golang --file go.mod
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

How it works

how_works

Author

Katsuhiko YOSHIDA