dep-doctor is a tool to diagnose whether your software dependency libraries are maintained.
Today, most software relies heavily on external libraries. Vulnerabilities in those libraries can be detected by vulnerability scanners (dependabot, trivy, Grype, etc) if they are publicly available.
However, some libraries have archived their source code repositories or have had their development stopped, although not explicitly. dep-doctor will notify you of those libraries in the dependencies file.
| language | package manager | dependencies file (e.g.) | status |
|---|---|---|---|
| Dart | pub | pubspec.lock | ✔️ |
| Erlang/Elixir | mix | mix.lock | ✔️ |
| Go | golang | go.mod | ✔️ |
| Java | gradle | gradle.lockfile | (later) |
| Java | maven | pom.xml | (later) |
| JavaScript | npm | package-lock.json | ✔️ |
| JavaScript | yarn | yarn.lock | ✔️ |
| PHP | composer | composer.lock | ✔️ |
| Python | pip | requirements.txt | ✔️ |
| Python | pipenv | Pipfile.lock | ✔️ |
| Python | poetry | poetry.lock | ✔️ |
| Ruby | bundler | Gemfile.lock | ✔️ |
| Rust | cargo | Cargo.lock | ✔️ |
| Swift | cocoapods | Podfile.lock | ✔️ |
Only GitHub.com
$ brew tap kyoshidajp/dep-doctor
$ brew install kyoshidajp/dep-doctor/dep-doctorGITHUB_TOKEN must be set as an environment variable before execution.
Usage:
dep-doctor diagnose [flags]
Flags:
--disable-cache without using cache
-f, --file string dependencies file path
-h, --help help for diagnose
-i, --ignores string ignore dependencies (separated by a space)
-p, --package string package manager
--strict exit with non-zero if warnings exist
-y, --year int max years of inactivity (default 5)For example:
$ dep-doctor diagnose --package bundler --file /path/to/Gemfile.lock
concurrent-ruby
dotenv
faker
i18n
method_source
paperclip
......
[error] paperclip (archived): https://github.com/thoughtbot/paperclip
Diagnosis completed! 6 dependencies.
1 error, 0 warn (0 unknown), 0 info (0 ignored)| level | e.g. |
|---|---|
| error | Source code repository is already archived. |
| warn | Source code repository is not active or unknown. |
| info | Other reasons. (specified to be ignored) |
The maximum number of blank years to be considered maintained. A source code repository is considered maintained if it has been committed within this number of years.
The default is 5 years, but if longer is desired, for example
$ dep-doctor diagnose --package bundler --file /path/to/Gemfile.lock --year 7In the above case, if there are commits within the last 7 years, it is considered to be maintained.
You can specify libraries not to notify you of errors or warnings. This may be useful if you plan to address the issue in the near future but wish to ignore it at this time.
Please specify this option with the understanding that there is a risk.
If there is more than one, you can specify each one separated by a space as follows.
$ dep-doctor diagnose --package bundler --file /path/to/Gemfile.lock \
--ignores "lib1 lib2 lib3"When a status result is retrieved from the source code repository, the URL is kept in a file as a cache (.dep-doctor.yml). Normally, the repository URL is not changed frequently. To speed up the running, this cache is referenced on the second and subsequent runs.
With the --disable-cache option, this cache is not referenced. It always retrieves the latest source code URL from the package registry.
Installs an dep-doctor binary for Linux(x86_64) into /usr/local/bin. This action runs install only.
jobs:
diagnose:
name: dep-doctor
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: kyoshidajp/dep-doctor@v1
with:
version: v1.3.0 # or latest
- run: dep-doctor diagnose --package golang --file go.mod
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Katsuhiko YOSHIDA