A high-performance libyear dependency debt analyzer for large scale usage across an entire organization.
To compute the libyears for the package in your current directory, run:
npx depdebt
You can specify the package.json
files to look at on the command-line:
npx depdebt something/package.json
If you have many files to analyze, pipe in a newline delimited list of file paths and pass -
as the filename:
find -name package.json -not -path '*/node_modules/*' | npx depdebt -
depdebt
inspects package.json
files to determine the dependencies to analyze. It compares the actual version of a dependency to the latest version available. The number of years between the actual and latest release dates make up the number of libyears. (See Actual version determination for more details.)
Usage: depdebt [options] [package.json ...]
Options:
-t, --tag-precedence <tag> Tag precedence (default: "latest", allows multiple with left-to-right priority)
-m, --missing <strategy> Missing package strategy (default: "throw", supports "ignore")
-h, --help Show this help
If file names are not supplied on the command line, defaults to "package.json". The special file name "-" instructs depdebt to listens for newline delimited file names from stdin.
Examples:
depdebt
depdebt package.json
depdebt -t lts -t latest package.json
find -name package.json -not -path '*/node_modules/*' | depdebt
depdebt
considers the release tagged with latest
as the desired version. You can specify an ordered list of tags to consider as latest.
If, for instance, you don't like living life on the wild side, you might want to set the precedence to "lts" and then "latest":
depdebt -t lts -t latest
You can tell depdebt
to ignore "not found" errors when retrieving package metadata.
It is useful to ignore "not found" errors for mono-repos. In these cases, the packages are locally-linked, so the dependency cannot be out of date.
To be clear, depdebt
supports private registries out of the box, so this is not a workaround.
You can ignore missing packages by specifying ignore
as the missing package strategy: depdebt -m ignore
.
The final result data includes ignored packages. You can identify ignored packages by looking for a missing: true
field:
depdebt | jq '.packages[].dependencies[] | select(.missing == true)'
{
"name": "@some-org/some-package",
"spec": "^1.0.0",
"libyears": 0,
"missing": true
}
The presence of a lock file influences the "actual" version of a dependency.
If a package-lock.json
file is present, depdebt
uses the version found in the lock file. Otherwise, depdebt
uses the latest version wanted by the version spec in package.json
.
For applications deployed based on the package-lock.json
committed into source control, the package-lock.json
should certainly be used. For libraries that are later installed based on the package.json
file, it's best to use the package.json
version rather than package-lock.json
version.