npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

rodeps

v1.0.8

Published

How rotten are your installed packages?

Downloads

148

Readme

Rodeps npm bundle size

Rotten Dependencies (rodeps)

Rotten Dependencies package analyzes the dependencies tree in the package.json file and reports how outdated they are. It is designed to help maintainers keep their dependencies up-to-date by providing clear, actionable insights into their dependency landscape.

Purpose

The primary purpose of this script is to shift left in the software development lifecycle. By incorporating dependency checks early in the CI/CD pipeline, on operation dashboards, or in day-to-day code checks, teams can proactively manage their dependencies, reducing the risk of security vulnerabilities and ensuring compatibility with the latest features and bug fixes.

Features

  • Detailed reporting: Provides a summary of all dependencies, including the percentage of outdated packages.
  • Zero dependencies: This script is implemented with no external dependencies, relying solely on Node.js built-in modules, ensuring lightweight and fast execution.
  • Verbose and detailed output options: Configure the script to output detailed lists of outdated packages if needed.
  • CI/CD integration: Easily integrate this script into your CI/CD pipelines to automatically check for outdated dependencies with every build.

Usage

Installation

Install it from npmjs.org:

npm i --save-dev rodeps

Or run without installation using npx:

npx rodeps

Options

  • --long: Output a detailed list of outdated packages. This option will be ignored if used with --json.
  • --json: Output in JSON format to the results can be parsed. It takes precedence over --long if used simultaneously.
  • --verbose: Enable verbose output for debugging purposes.

Example:

npx rodeps --verbose --long

CI integrations and automation

To integrate this package into your CI/CD pipeline, you can use --json option and parse the output using jq (or any other tool to work with JSON).

Parsing output

Example of parsing JSON output that returns a percentage of all outdated packages in the analyzed repo:

npx -y rodeps --json | jq '.all.rottenDepsPercentage' # returns integer or float, e.g.: 25.89

Example of parsing table output using awk:

npx -y rodeps | awk -F'[()]*' 'NR==3 { print $2 }' # returns string, percentage of all outdated deps from line 3, e.g.: 25.89%

Github Actions

GitHub Actions workflow example. This workflow installs dependencies, analyzes the repo, and fails run if the percentage of outdated packages is greater or equal to variable RODEPS_THRESHOLD:

name: Rodeps

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

jobs:
  rotten-deps:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npm ci --quiet --no-audit --no-fund
      - name: Check outdated dependencies
        run: |
          SCORE=$( -y rodeps --json | jq '.all.rottenDepsPercentage')
          if [ "$(echo "$SCORE <= $RODEPS_THRESHOLD" | bc)" -le 0 ]; then echo "Outdated dependencies $SCORE breach threshold $RODEPS_THRESHOLD"; exit 1; else echo "Outdated dependencies score $SCORE is ok"; fi

CircleCI

CircleCI job example. This workflow installs dependencies, analyzes the repo, and fails run if the percentage of outdated packages is greater or equal to the variable RODEPS_THRESHOLD:

version: 2.1

jobs:
  rotten-deps:
    docker:
      - image: cimg/node:17.2.0
    steps:
      - checkout
      - npm ci
      - run:
          name: Check outdated dependencies
          command: |
            RODEPS_THRESHOLD=50
            SCORE=$(npx -y rodeps --json | jq '.all.rottenDepsPercentage')
            if [ "$(echo "$SCORE <= $RODEPS_THRESHOLD" | bc)" -le 0 ]; then echo "Outdated dependencies $SCORE breach threshold $RODEPS_THRESHOLD"; exit 1; else echo "Outdated dependencies score $SCORE is ok"; fi

workflows:
  my-workflow:
    jobs:
      - rotten-deps

Using rodeps in NPM postinstall hook

It is possible to run rodeps on every install command in the project. In that case after npm install or npm ci command will print the result of outdated dependencies analysis. This can be enabled by adding this script to the package.json file:

"scripts": {
  ...
  "postinstall": "if [ -z $CI ]; then npx -y rodeps; fi"
}

Note if [ -z $CI ]; - checks whether the hook is not executed in a non-continuous integration environment. This is added to reduce the time of install command and eliminate excessive output.

Outputs

Default output

The script outputs a summary of the dependency status, for example:

Rotten deps results for <project-name>@<version>
Dependencies analyzed: 27.
9 (33.33%) of installed packages are outdated.
5 (18.52%) of installed packages have outdated wanted versions.
4 (14.81%) of installed packages have outdated latest versions.
┌──────────────────────┬───────────┬─────────────────┬──────────────────┬─────────────────┬──────────────────┬──────────┬───────────┐
│       (index)        │ installed │ outdated wanted │ rotten wanted, % │ outdated latest │ rotten latest, % │ outdated │ rotten, % │
├──────────────────────┼───────────┼─────────────────┼──────────────────┼─────────────────┼──────────────────┼──────────┼───────────┤
│         all          │    27     │        5        │      18.52       │        4        │      14.81       │    9     │   33.33   │
│     dependencies     │    18     │        2        │      11.11       │        1        │       5.56       │    3     │   16.67   │
│   devDependencies    │     9     │        3        │      33.33       │        3        │      33.33       │    6     │   66.67   │
│ optionalDependencies │     0     │        0        │        0         │        0        │        0         │    0     │     0     │
│   peerDependencies   │     0     │        0        │        0         │        0        │        0         │    0     │     0     │
└──────────────────────┴───────────┴─────────────────┴──────────────────┴─────────────────┴──────────────────┴──────────┴───────────┘

Where:

  • installed - number of installed dependencies in the dependency tree (all) or specific group (dev, optional, etc).
  • outdated wanted - number of outdated dependencies compared to the wanted version, specified in package.json file. In case you have specified which update types your package can accept from dependencies: patch (~), minor (^) or major (*), the current version can be behind the wanted and require an update.
  • rotten wanted - the percentage of rotten (outdated) packages that have the current version older than wanted.
  • outdated latest - number of outdated dependencies compared to the latest version.
  • rotten latest percentage of all rotten (outdated) packages that have the current version older than the latest. This metric is stricter than rotten wanted since the wanted version may be fixed on the patch or minor level that will never allow updating dependency to the latest.
  • outdated
  • rotten - percentage of all rotten (outdated) packages.

If the --long option is used, it will also send to the output a detailed list of outdated packages. In that case, the default output will be extended with the following (for example):

List of outdated dependencies
┌──────────────────┬──────────┬──────────┬──────────┐
│     (index)      │ current  │  wanted  │  latest  │
├──────────────────┼──────────┼──────────┼──────────┤
│ react-router-dom │ '6.23.1' │ '6.25.1' │ '6.25.1' │
│       sass       │ '1.77.5' │ '1.77.8' │ '1.77.8' │
│    web-vitals    │ '2.1.4'  │ '2.1.4'  │ '4.2.2'  │
└──────────────────┴──────────┴──────────┴──────────┘

List of outdated devDependencies
┌─────────────────────────────┬──────────┬──────────┬──────────┐
│           (index)           │ current  │  wanted  │  latest  │
├─────────────────────────────┼──────────┼──────────┼──────────┤
│   @testing-library/react    │ '13.4.0' │ '13.4.0' │ '16.0.0' │
│ @testing-library/user-event │ '13.5.0' │ '13.5.0' │ '14.5.2' │
└─────────────────────────────┴──────────┴──────────┴──────────┘

There can be different tables for each group of dependencies if such a group has outdated packages:

  • dependencies
  • devDependencies
  • optionalDependencies
  • peerDependencies

JSON output

If the --json option is used, it will output the entire report in JSON format, including lists of outdated packages. This option excludes --long and might be useful in CI/CD or automated runs.

Results of --json invoked output can be parsed programmatically or stored in the file for further analysis.

Example of JSON output:

{
  "all": {
    "installed": 27,
    "outdatedWanted": 5,
    "outdatedLatest": 4,
    "outdated": 9,
    "rottenDepsPercentage": 33.33,
    "rottenWantedDepsPercentage": 18.52,
    "rottenLatestDepsPercentage": 14.81
 },
  "dependencies": {
    "installed": 18,
    "outdatedWanted": 2,
    "outdatedLatest": 1,
    "outdated": 3,
    "packages": {
      "react-router-dom": {
        "current": "6.23.1",
        "wanted": "6.25.1",
        "latest": "6.25.1"
 },
      ...
 }
 },
  "devDependencies": {
    "installed": 9,
    "outdatedWanted": 3,
    "outdatedLatest": 3,
    "outdated": 6,
    "packages": {
      "@testing-library/react": {
        "current": "13.4.0",
        "wanted": "13.4.0",
        "latest": "16.0.0"
 },
      ...
 },
  "optionalDependencies": {
    "installed": 0,
    "outdatedWanted": 0,
    "outdatedLatest": 0,
    "outdated": 0,
    "packages": {}
 },
  "peerDependencies": {
    "installed": 0,
    "outdatedWanted": 0,
    "outdatedLatest": 0,
    "outdated": 0,
    "packages": {}
 }
}

Contributing

Contributions are welcome! Please open an issue or submit a pull request with your improvements or bug fixes.

License

This project is licensed under the MIT License. See the LICENSE file for details.