Find abandoned dependencies before they become security nightmares.
A CLI tool that scans your package.json (NPM) or requirements.txt (Python) to detect software rot - dependencies that are abandoned, poorly maintained, or pose supply chain risks.
npm audit and Snyk tell you about known CVEs. They DON'T tell you:
- π A library hasn't been updated in 4 years
- π€ A package has only 1 maintainer (bus factor risk)
- βοΈ A dependency uses a deprecated license
This is "Software Rot" - a security bomb waiting to explode. π£
# Install globally
npm install -g rot-detector
# Scan your project
rot-detector scan .
# Or use npx (no install)
npx rot-detector scan ./package.jsonπ§ Dependency Rot Detector
Scanned: ./package.json
ββββββββββββββββββββββββββ¬βββββββββ¬βββββββββββββββββ¬ββββββββββββββ¬ββββββββββββββββ¬βββββββββββββ
β Package β Score β Last Update β Maintainers β License β Status β
ββββββββββββββββββββββββββΌβββββββββΌβββββββββββββββββΌββββββββββββββΌββββββββββββββββΌβββββββββββββ€
β abandoned-lib β π΄ 15 β 4 years ago β 1 β GPL-2.0 β Critical β
β old-but-ok β π‘ 65 β 8 months ago β 2 β MIT β Warning β
β react β π’ 95 β 2 days ago β 15 β MIT β Healthy β
ββββββββββββββββββββββββββ΄βββββββββ΄βββββββββββββββββ΄ββββββββββββββ΄ββββββββββββββββ΄βββββββββββββ
Summary: π’ 1 Healthy | π‘ 1 Warning | π΄ 1 Critical
| Feature | Description |
|---|---|
| π NPM + PyPI Support | Scans package.json and requirements.txt |
| π Health Scoring | 0-100 score based on freshness, maintainers, license |
| π¨ Beautiful CLI Output | Color-coded risk indicators |
| π JSON Export | --json flag for CI/CD integration |
| β‘ GitHub Integration | Optional enhanced repo analysis |
| π¨ Threshold Checks | Fail builds if score drops below threshold |
rot-detector scan [path] [options]
Options:
--json Output results as JSON
--threshold <score> Fail if any dependency scores below threshold
--github-token <tok> GitHub token for enhanced repo analysis
--no-github Skip GitHub analysis (faster)
--dev Include devDependencies
-v, --verbose Verbose outputEach dependency is scored 0-100 based on:
| Factor | Weight | Scoring |
|---|---|---|
| Freshness | 40% | < 6 months = 100, > 3 years = 5 |
| Maintainers | 30% | 5+ = 100, 1 = 40, 0 = 10 |
| License | 30% | OSI approved = 100, Unknown = 60 |
- π’ Healthy (80-100): Well maintained, safe to use
- π‘ Warning (50-79): Review recommended
- π΄ Critical (0-49): Replace immediately!
name: Dependency Health Check
on: [push, pull_request]
jobs:
rot-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '18'
- name: Check for dependency rot
run: npx rot-detector scan --threshold 50# .husky/pre-commit
npx rot-detector scan --threshold 60# Clone the repo
git clone https://github.com/notsointresting/rot-detector.git
cd rot-detector
# Install dependencies
npm install
# Run in development mode
npm run dev -- scan ./sample/package.json
# Build for production
npm run build
# Run tests
npm testContributions are welcome! Feel free to:
- π Report bugs
- π‘ Suggest features
- π Submit pull requests
MIT Β© notsointresting
Made with π§ by developers who got burned by abandoned dependencies