Dependency Doctor
Comprehensive dependency health analysis and upgrade planning.
Core Workflow
-
Scan manifests: Analyze package.json, requirements.txt, Cargo.toml, go.mod, etc.
-
Check versions: Identify outdated packages against latest stable versions
-
Detect issues: Find duplicates, security vulnerabilities, deprecated packages, heavy bundles
-
Assess risk: Evaluate breaking changes and version compatibility
-
Prioritize: Rank issues by severity (security > performance > maintenance)
-
Generate upgrade path: Create safe, incremental update plan
-
Recommend pins: Suggest version constraints to avoid future issues
Analysis Categories
Security Issues (Critical)
-
Known CVEs in dependencies
-
Unmaintained packages (no updates >2 years)
-
Packages with security advisories
-
Transitive dependency vulnerabilities
Outdated Packages (High)
-
Major versions behind (breaking changes)
-
Minor versions behind (new features)
-
Patch versions behind (bug fixes)
Duplicate Dependencies (Medium)
-
Multiple versions of same package
-
Overlapping functionality (lodash + underscore)
-
Can be deduplicated
Heavy Dependencies (Medium)
-
Large bundle sizes (>500KB)
-
Unnecessary peer dependencies
-
Better alternatives available
Risky Combinations (Medium)
-
Known incompatible version pairs
-
Conflicting peer dependencies
-
Framework version mismatches
Report Structure
Dependency Audit Report
🔴 Critical Security Issues (2)
- axios@0.21.0 → CVE-2021-3749 → Upgrade to 1.6.0+
- lodash@4.17.15 → Prototype pollution → Upgrade to 4.17.21+
🟡 High Priority Updates (5)
- react@17.0.2 → 18.2.0 (major, breaking changes)
- next@12.0.0 → 14.1.0 (major, new features)
🟢 Maintenance Updates (8)
- typescript@4.9.0 → 5.3.3 (patch improvements)
📦 Duplicates Found (3)
- moment: 2.29.1, 2.30.0 → Deduplicate to 2.30.0
- @types/node: 18.0.0, 20.0.0 → Align to 20.0.0
🏋️ Heavy Dependencies (2)
- moment (232KB) → Consider date-fns (12KB)
- lodash (full) → Consider lodash-es or specific imports
Upgrade Path
Phase 1: Security (Do First)
npm update axios lodash
npm audit fix
Phase 2: Major Frameworks (Test Thoroughly)
npm install react@18 react-dom@18 npm install next@14
Run full test suite
Phase 3: Minor Updates (Low Risk)
npm update
Safe Pin Recommendations
{ "axios": "^1.6.0", "react": "^18.2.0", "typescript": "~5.3.0" }
Package Manager Commands
npm
- Audit:
npm audit - Outdated:
npm outdated - Dedupe:
npm dedupe - Update:
npm update [package]
yarn
- Audit:
yarn audit - Outdated:
yarn outdated - Dedupe:
yarn dedupe - Upgrade:
yarn upgrade [package]
pnpm
- Audit:
pnpm audit - Outdated:
pnpm outdated - Dedupe:
pnpm dedupe - Update:
pnpm update [package]
pip
- Outdated:
pip list --outdated - Update:
pip install --upgrade [package] - Security:
pip-auditorsafety check
Upgrade Best Practices
- Backup first: Commit current state or create branch
- Read changelogs: Check for breaking changes
- Update incrementally: One major version at a time
- Test thoroughly: Run full test suite after each update
- Check peer deps: Ensure compatibility
- Lock files: Commit updated lock files
- Monitor: Watch for runtime issues after deployment
Version Pinning Strategy
- Exact:
1.2.3- Only for problematic packages - Patch:
~1.2.3- Safe updates (1.2.x) - Minor:
^1.2.3- Most common (1.x.x) - Range:
>=1.2.3 <2.0.0- Explicit bounds
References
See references/common-issues.md for known problematic package combinations and migration guides.