{"id":48355713,"url":"https://github.com/mpiton/zed-dependi","last_synced_at":"2026-04-05T11:04:53.348Z","repository":{"id":328466215,"uuid":"1115656394","full_name":"mpiton/zed-dependi","owner":"mpiton","description":"Dependi extension for the Zed editor — manage and update dependencies inline","archived":false,"fork":false,"pushed_at":"2026-03-23T16:44:40.000Z","size":12004,"stargazers_count":17,"open_issues_count":1,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-24T05:27:10.483Z","etag":null,"topics":["dependi","rust","zed","zed-extension"],"latest_commit_sha":null,"homepage":"https://mpiton.github.io/zed-dependi/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mpiton.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-13T09:32:42.000Z","updated_at":"2026-03-23T16:44:44.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mpiton/zed-dependi","commit_stats":null,"previous_names":["mpiton/zed-dependi"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/mpiton/zed-dependi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpiton%2Fzed-dependi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpiton%2Fzed-dependi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpiton%2Fzed-dependi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpiton%2Fzed-dependi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mpiton","download_url":"https://codeload.github.com/mpiton/zed-dependi/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpiton%2Fzed-dependi/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31433044,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T08:13:15.228Z","status":"ssl_error","status_checked_at":"2026-04-05T08:13:11.839Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependi","rust","zed","zed-extension"],"created_at":"2026-04-05T11:04:52.715Z","updated_at":"2026-04-05T11:04:53.274Z","avatar_url":"https://github.com/mpiton.png","language":"HTML","funding_links":[],"categories":["📦 Other"],"sub_categories":[],"readme":"# Dependi for Zed\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Documentation](https://img.shields.io/badge/docs-latest-blue.svg)](https://mpiton.github.io/zed-dependi/)\n[![GitHub CI](https://github.com/mpiton/zed-dependi/actions/workflows/ci.yml/badge.svg)](https://github.com/mpiton/zed-dependi/actions/workflows/ci.yml)\n[![GitHub release](https://img.shields.io/github/v/release/mpiton/zed-dependi)](https://github.com/mpiton/zed-dependi/releases)\n[![Issues](https://img.shields.io/github/issues-raw/mpiton/zed-dependi)](https://github.com/mpiton/zed-dependi/issues)\n[![Pull Requests](https://img.shields.io/github/issues-pr-raw/mpiton/zed-dependi)](https://github.com/mpiton/zed-dependi/pulls)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)\n\nDependency management extension for the [Zed](https://zed.dev) editor.\n\n**Version:** 1.6.1\n\n![Demo](docs/demo.gif)\n\n📚 **Documentation**: [Full documentation available here](https://mpiton.github.io/zed-dependi/)\n\n## Features\n\n- **Inlay Hints**: See latest versions inline next to your dependencies\n  - `✓` - Version is up to date\n  - `-\u003e X.Y.Z` - Update available\n  - `⚠ N vulns` - Vulnerabilities detected\n  - `⚠ Deprecated` - Package is deprecated\n  - `⊘ Yanked` - Version has been yanked\n  - `→ Local` - Local/path dependency\n  - `? Unknown` - Could not fetch version info\n- **Vulnerability Scanning**: Real-time security scanning via OSV.dev\n  - CVE details in hover tooltips\n  - Severity indicators: `⚠ CRITICAL`, `▲ HIGH`, `● MEDIUM`, `○ LOW`\n  - Severity-based diagnostics (Critical/High → ERROR, Medium → WARNING, Low → HINT)\n  - Generate JSON/Markdown vulnerability reports\n- **Diagnostics**: Outdated dependencies are highlighted with hints\n- **Code Actions**: Quick fix to update dependencies with semver-aware labels\n  - `⚠ MAJOR`: Breaking changes (not auto-preferred)\n  - `+ minor`: New features\n  - `· patch`: Bug fixes\n  - `* prerelease`: Experimental versions\n- **Hover Info**: Package descriptions, licenses, and links\n- **Autocompletion**: Version suggestions when editing dependencies\n- **Persistent Cache**: SQLite cache for faster startup across sessions\n- **Configurable**: Enable/disable features, ignore packages, adjust TTL\n\n## Supported Languages\n\n| Language | File | Registry | Status |\n|----------|------|----------|--------|\n| Rust | `Cargo.toml` | crates.io + alternative registries | ✅ |\n| JavaScript/TypeScript | `package.json` | npm | ✅ |\n| Python | `requirements.txt`, `constraints.txt`, `pyproject.toml` | PyPI | ✅ |\n| Go | `go.mod` | proxy.golang.org | ✅ |\n| PHP | `composer.json` | Packagist | ✅ |\n| Dart/Flutter | `pubspec.yaml` | pub.dev | ✅ |\n| C#/.NET | `*.csproj` | NuGet | ✅ |\n| Ruby | `Gemfile` | RubyGems.org | ✅ |\n\n## Installation\n\n### From Zed Extensions\n\n1. Open Zed editor\n2. Press `Cmd+Shift+P` (Mac) or `Ctrl+Shift+P` (Linux/Windows)\n3. Type \"extensions\" and select `zed: extensions`\n4. Search for \"Dependi\"\n5. Click Install\n\nThe extension will automatically download and install the language server.\n\n### Manual Installation (Development)\n\n1. Clone this repository\n2. Build the LSP and extension:\n\n```bash\n# Build the LSP\ncd dependi-lsp\ncargo build --release\n\n# Build the extension\ncd ../dependi-zed\ncargo build --release --target wasm32-wasip1\n```\n\n3. In Zed, run `zed: install dev extension` and select the `dependi-zed` directory\n\n## Project Structure\n\n```\nzed-dependi/\n├── dependi-lsp/           # Language Server (Rust binary)\n│   ├── src/\n│   │   ├── main.rs        # Entry point\n│   │   ├── lib.rs         # Library exports\n│   │   ├── backend.rs     # LSP implementation\n│   │   ├── config.rs      # Configuration management\n│   │   ├── document.rs    # Document/text utilities\n│   │   ├── file_types.rs  # File type detection\n│   │   ├── reports.rs     # Vulnerability report generation\n│   │   ├── utils.rs       # Shared utilities\n│   │   ├── auth/          # Registry authentication\n│   │   ├── parsers/       # Dependency file parsers\n│   │   │   ├── cargo.rs   # Cargo.toml parser\n│   │   │   ├── cargo_lock.rs # Cargo.lock lockfile\n│   │   │   ├── npm.rs     # package.json parser\n│   │   │   ├── npm_lock.rs # package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock\n│   │   │   ├── python.rs  # requirements.txt, constraints.txt, pyproject.toml\n│   │   │   ├── python_lock.rs # poetry.lock, uv.lock, pdm.lock, Pipfile.lock\n│   │   │   ├── go.rs      # go.mod parser\n│   │   │   ├── go_sum.rs  # go.sum lockfile\n│   │   │   ├── php.rs     # composer.json parser\n│   │   │   ├── composer_lock.rs # composer.lock lockfile\n│   │   │   ├── ruby.rs    # Gemfile parser\n│   │   │   ├── gemfile_lock.rs # Gemfile.lock lockfile\n│   │   │   ├── dart.rs    # pubspec.yaml parser\n│   │   │   ├── pubspec_lock.rs # pubspec.lock lockfile\n│   │   │   ├── csharp.rs  # *.csproj parser\n│   │   │   └── packages_lock_json.rs # packages.lock.json lockfile\n│   │   ├── registries/    # Package registry clients\n│   │   │   ├── crates_io.rs    # crates.io API\n│   │   │   ├── cargo_sparse.rs # Cargo alternative registries (sparse index)\n│   │   │   ├── npm.rs          # npm registry\n│   │   │   ├── pypi.rs         # PyPI registry\n│   │   │   ├── go_proxy.rs     # Go module proxy\n│   │   │   ├── packagist.rs    # Packagist (PHP)\n│   │   │   ├── pub_dev.rs      # pub.dev (Dart)\n│   │   │   ├── nuget.rs        # NuGet (.NET)\n│   │   │   ├── rubygems.rs     # RubyGems\n│   │   │   ├── http_client.rs  # Shared HTTP client\n│   │   │   └── version_utils.rs # Shared version utilities\n│   │   ├── providers/     # LSP feature providers\n│   │   │   ├── inlay_hints.rs\n│   │   │   ├── diagnostics.rs\n│   │   │   ├── code_actions.rs\n│   │   │   ├── completion.rs\n│   │   │   └── document_links.rs # Clickable dependency links\n│   │   ├── cache/         # Caching layer\n│   │   │   ├── mod.rs     # Memory + hybrid cache\n│   │   │   └── sqlite.rs  # SQLite persistent cache\n│   │   └── vulnerabilities/ # Security scanning via OSV\n│   └── tests/             # Integration tests\n├── dependi-zed/           # Zed Extension (WASM)\n│   ├── extension.toml\n│   └── src/lib.rs\n└── .github/workflows/     # CI/CD\n    ├── ci.yml             # Build \u0026 test\n    └── release.yml        # Release binaries\n```\n\n## Development\n\n### Prerequisites\n\n- Rust 1.94+ (edition 2024)\n- `wasm32-wasip1` target: `rustup target add wasm32-wasip1`\n\n### Building\n\n```bash\n# Build LSP (release)\ncd dependi-lsp\ncargo build --release\n\n# Run tests\ncargo test\n\n# Build extension\ncd ../dependi-zed\ncargo build --release --target wasm32-wasip1\n```\n\n### Testing\n\n```bash\n# Run all tests\ncd dependi-lsp\ncargo test\n\n# Run specific test modules\ncargo test parsers::cargo\ncargo test parsers::python\ncargo test parsers::go\ncargo test registries\ncargo test providers\n```\n\n### Debugging\n\n```bash\n# Run LSP with debug logs\ncd dependi-lsp\nRUST_LOG=debug cargo run\n\n# View Zed logs\nzed --foreground\n```\n\n## Configuration\n\nConfigure Dependi in your Zed `settings.json`:\n\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"inlay_hints\": {\n          \"enabled\": true,\n          \"show_up_to_date\": true\n        },\n        \"diagnostics\": {\n          \"enabled\": true\n        },\n        \"cache\": {\n          \"ttl_secs\": 3600\n        },\n        \"security\": {\n          \"enabled\": true,\n          \"show_in_hints\": true,\n          \"show_diagnostics\": true,\n          \"min_severity\": \"low\"\n        },\n        \"ignore\": [\"internal-*\", \"test-pkg\"]\n      }\n    }\n  }\n}\n```\n\n### Configuration Options\n\n| Option | Type | Default | Description |\n|--------|------|---------|-------------|\n| `inlay_hints.enabled` | bool | `true` | Enable/disable inlay hints |\n| `inlay_hints.show_up_to_date` | bool | `true` | Show hints for up-to-date packages |\n| `diagnostics.enabled` | bool | `true` | Enable/disable diagnostics |\n| `cache.ttl_secs` | number | `3600` | Cache TTL in seconds (1 hour) |\n| `cache.debounce_ms` | number | `200` | Debounce delay for file change notifications (ms) |\n| `ignore` | string[] | `[]` | Package names/patterns to ignore |\n| `security.enabled` | bool | `true` | Enable/disable vulnerability scanning |\n| `security.show_in_hints` | bool | `true` | Show vulnerability count in inlay hints |\n| `security.show_diagnostics` | bool | `true` | Show vulnerability diagnostics |\n| `security.min_severity` | string | `\"low\"` | Minimum severity to report (low/medium/high/critical) |\n| `security.cache_ttl_secs` | number | `21600` | Vulnerability cache TTL in seconds (6 hours) |\n\n### Private Registries\n\nDependi supports custom registries for enterprise environments.\n\n#### Cargo Alternative Registries\n\nQuery private Cargo registries (Kellnr, Cloudsmith, Artifactory, etc.) alongside crates.io:\n\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"registries\": {\n          \"cargo\": {\n            \"registries\": {\n              \"my-registry\": {\n                \"index_url\": \"https://my-registry.example.com/api/v1/crates\",\n                \"auth\": {\n                  \"type\": \"env\",\n                  \"variable\": \"MY_REGISTRY_TOKEN\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\nThen in your `Cargo.toml`, use the `registry` field:\n\n```toml\n[dependencies]\nmy-crate = { version = \"0.1.0\", registry = \"my-registry\" }\nserde = \"1.0\"  # still fetched from crates.io\n```\n\n**Key points:**\n- The `index_url` is the sparse index URL (without the `sparse+` prefix)\n- Authentication can be configured via LSP settings or falls back to `~/.cargo/credentials.toml`\n- Dependencies without a `registry` field are fetched from crates.io as usual\n\n#### npm Scoped Registries\n\nConfigure scoped registries to use private npm packages alongside public ones:\n\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"registries\": {\n          \"npm\": {\n            \"url\": \"https://registry.npmjs.org\",\n            \"scoped\": {\n              \"company\": {\n                \"url\": \"https://npm.company.com\",\n                \"auth\": {\n                  \"type\": \"env\",\n                  \"variable\": \"COMPANY_NPM_TOKEN\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n**Key points:**\n- Scope names don't include the `@` prefix (use `\"company\"` not `\"@company\"`)\n- Authentication tokens are read from environment variables (never hardcoded)\n- Auth headers are only sent over HTTPS\n\nFor detailed configuration including supported registry types, authentication setup, and troubleshooting, see the [Private Registries Guide](docs/private-registries.md).\n\n## CI/CD Integration\n\nThe dependi-lsp provides a standalone CLI scan command for integrating vulnerability scanning into your CI/CD pipelines.\n\n### CLI Scan Command\n\n```bash\ndependi-lsp scan --file \u003cpath\u003e [options]\n```\n\n#### Options\n\n| Option | Short | Default | Description |\n|--------|-------|---------|-------------|\n| `--file \u003cpath\u003e` | `-f` | required | Path to dependency file to scan |\n| `--output \u003cformat\u003e` | `-o` | `summary` | Output format: `summary`, `json`, `markdown` |\n| `--min-severity \u003clevel\u003e` | `-m` | `low` | Minimum severity to report: `low`, `medium`, `high`, `critical` |\n| `--fail-on-vulns` | | `true` | Exit with code 1 if vulnerabilities are found |\n\n#### Supported Files\n\n- Rust: `Cargo.toml`\n- JavaScript/TypeScript: `package.json`\n- Python: `requirements.txt`, `constraints.txt`, `pyproject.toml`\n- Go: `go.mod`\n- PHP: `composer.json`\n- Dart/Flutter: `pubspec.yaml`\n- C#/.NET: `*.csproj`\n\n#### Exit Codes\n\n| Code | Meaning |\n|------|---------|\n| `0` | Success - no vulnerabilities found (or `--fail-on-vulns=false`) |\n| `1` | Failure - vulnerabilities found, file error, or network error |\n\n### Output Examples\n\n#### Summary Output (default)\n\n```bash\ndependi-lsp scan --file Cargo.toml\n```\n\n```\nVulnerability Scan Results for Cargo.toml\n\n  ⚠ Critical: 0\n  ▲ High:     1\n  ● Medium:   2\n  ○ Low:      0\n  ─────────────\n  Total:      3\n\n⚠ 3 vulnerabilities found!\n```\n\n#### JSON Output\n\n```bash\ndependi-lsp scan --file Cargo.toml --output json\n```\n\n```json\n{\n  \"file\": \"Cargo.toml\",\n  \"summary\": {\n    \"total\": 3,\n    \"critical\": 0,\n    \"high\": 1,\n    \"medium\": 2,\n    \"low\": 0\n  },\n  \"vulnerabilities\": [\n    {\n      \"package\": \"tokio\",\n      \"version\": \"1.35.0\",\n      \"id\": \"RUSTSEC-2024-0001\",\n      \"severity\": \"high\",\n      \"description\": \"Race condition in tokio::time\",\n      \"url\": \"https://rustsec.org/advisories/RUSTSEC-2024-0001\"\n    }\n  ]\n}\n```\n\n#### Markdown Output\n\n```bash\ndependi-lsp scan --file Cargo.toml --output markdown\n```\n\nGenerates a formatted report with severity table and detailed vulnerability listings.\n\n### CI/CD Pipeline Examples\n\n#### GitHub Actions\n\nCreate `.github/workflows/security-scan.yml`:\n\n```yaml\nname: Security Scan\n\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Install Rust\n        uses: dtolnay/rust-toolchain@stable\n\n      - name: Install dependi-lsp\n        run: cargo install --git https://github.com/mpiton/zed-dependi --bin dependi-lsp\n\n      - name: Scan dependencies\n        run: dependi-lsp scan --file Cargo.toml --min-severity high\n\n      - name: Generate report\n        if: always()\n        run: |\n          dependi-lsp scan --file Cargo.toml --output markdown \u003e security-report.md\n\n      - name: Upload report\n        if: always()\n        uses: actions/upload-artifact@v4\n        with:\n          name: security-report\n          path: security-report.md\n```\n\n#### GitLab CI\n\nAdd to `.gitlab-ci.yml`:\n\n```yaml\nsecurity-scan:\n  stage: test\n  image: rust:latest\n  script:\n    - cargo install --git https://github.com/mpiton/zed-dependi --bin dependi-lsp\n    - dependi-lsp scan --file Cargo.toml --min-severity high\n  artifacts:\n    when: always\n    paths:\n      - security-report.md\n    reports:\n      sast: security-report.json\n  allow_failure: false\n```\n\n### Best Practices\n\n1. **Block on High/Critical**: Use `--min-severity high` to fail builds only on serious vulnerabilities\n2. **Generate Reports**: Use `--output markdown` or `--output json` for audit trails\n3. **Scheduled Scans**: Run daily scans to catch newly disclosed vulnerabilities\n4. **Multiple Files**: Scan all dependency files in monorepos\n\n## How It Works\n\n1. When you open a dependency file, the LSP parses it to extract dependencies\n2. For each dependency, it queries the appropriate registry\n3. Version information is cached (memory + SQLite) to avoid repeated network requests\n4. Inlay hints show whether each dependency is up-to-date or has updates available\n5. Diagnostics highlight outdated dependencies\n6. Code actions allow quick updates to the latest version\n7. Hovering over a dependency shows detailed package information\n\n## Architecture\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                         Zed Editor                          │\n├─────────────────────────────────────────────────────────────┤\n│                    dependi-zed (WASM)                       │\n│  - Downloads and launches the LSP binary                    │\n└─────────────────────────────────────────────────────────────┘\n                              │ stdio (JSON-RPC)\n                              ▼\n┌─────────────────────────────────────────────────────────────┐\n│                   dependi-lsp (Binary)                      │\n├─────────────────────────────────────────────────────────────┤\n│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │\n│  │   Parsers    │  │  Providers   │  │  Registries  │      │\n│  ├──────────────┤  ├──────────────┤  ├──────────────┤      │\n│  │ • Cargo.toml │  │ • Inlay Hints│  │ • crates.io  │      │\n│  │ • package.json│ │ • Diagnostics│  │ • Cargo alt  │      │\n│  │ • requirements│ │ • Code Action│  │ • npm        │      │\n│  │ • constraints│  │ • Completion │  │ • PyPI       │      │\n│  │ • pyproject  │  │ • Hover      │  │ • Go Proxy   │      │\n│  │ • go.mod     │  │ • Doc Links  │  │ • Packagist  │      │\n│  │ • composer   │  └──────────────┘  │ • pub.dev    │      │\n│  │ • pubspec    │                    │ • NuGet      │      │\n│  │ • *.csproj   │                    │ • RubyGems   │      │\n│  │ • Gemfile    │                    └──────────────┘      │\n│  └──────────────┘                                           │\n│                                                             │\n│  ┌──────────────────────────────────────────────────────┐  │\n│  │                    Cache Layer                        │  │\n│  │  • Memory cache (fast access)                        │  │\n│  │  • SQLite cache (persistent, ~/.cache/dependi/)      │  │\n│  └──────────────────────────────────────────────────────┘  │\n└─────────────────────────────────────────────────────────────┘\n```\n\n## Troubleshooting\n\n### LSP Server Not Starting\n\n**Symptoms:**\n- No inlay hints or diagnostics appear\n- No completions for dependency versions\n- Extension seems inactive\n\n**Solutions:**\n1. Check Zed's extension panel to verify Dependi is installed and enabled\n2. View Zed logs for errors: run `zed --foreground` from terminal\n3. Reinstall the extension from Zed Extensions marketplace\n4. Check if firewall/proxy is blocking network requests to package registries\n\n### LSP Server Crashes or Freezes\n\n**Symptoms:**\n- Editor becomes unresponsive when opening dependency files\n- LSP process repeatedly restarts\n- High memory usage\n\n**Solutions:**\n1. Clear the cache directory and restart Zed:\n   ```bash\n   # Linux\n   rm -rf ~/.cache/dependi/\n\n   # macOS\n   rm -rf ~/Library/Caches/dependi/\n\n   # Windows\n   rmdir /s %LOCALAPPDATA%\\dependi\n   ```\n2. Update to the latest Dependi version\n3. Check if the issue occurs with a specific dependency file\n4. File a bug report with reproduction steps\n\n### Outdated Cache Data\n\n**Symptoms:**\n- Recently published packages not showing as latest\n- Old version information displayed\n- Known updates not appearing\n\n**Solutions:**\n1. Cache automatically refreshes after 1 hour (default TTL)\n2. Clear cache manually to force refresh:\n   ```bash\n   rm -rf ~/.cache/dependi/\n   ```\n3. Restart Zed after clearing cache\n4. Verify the registry is accessible (try visiting crates.io, npmjs.com, etc.)\n\n### Registry Rate Limiting\n\n**Symptoms:**\n- Intermittent failures fetching package info\n- `? Unknown` hints appearing temporarily\n- Slow responses when opening files\n\n**Solutions:**\n1. Wait a few minutes for rate limits to reset\n2. The cache reduces API calls - avoid clearing cache unnecessarily\n3. For npm, consider setting up authentication (see registry documentation)\n4. Large monorepos may trigger rate limits - be patient on first load\n\n### Network/Proxy Issues\n\n**Symptoms:**\n- All package lookups failing\n- Timeout errors in logs\n- Works on some networks but not others\n\n**Solutions:**\n1. Configure system proxy settings (Dependi uses system proxy)\n2. Ensure registry URLs are allowed through corporate firewall:\n   - `https://crates.io`\n   - `https://registry.npmjs.org`\n   - `https://pypi.org`\n   - `https://proxy.golang.org`\n   - `https://packagist.org`\n   - `https://pub.dev`\n   - `https://api.nuget.org`\n   - `https://rubygems.org`\n   - `https://api.osv.dev` (vulnerability scanning)\n3. Check DNS resolution for registry domains\n4. Try temporarily disabling VPN if using one\n\n### Configuration Not Applying\n\n**Symptoms:**\n- Custom settings in `settings.json` are ignored\n- Default behavior despite configuration changes\n\n**Solutions:**\n1. Verify JSON syntax is valid in `settings.json`\n2. Ensure settings are under the correct path:\n   ```json\n   {\n     \"lsp\": {\n       \"dependi\": {\n         \"initialization_options\": {\n           // your settings here\n         }\n       }\n     }\n   }\n   ```\n3. Restart Zed after configuration changes\n4. Check for typos in setting names (see Configuration Options table above)\n\n## FAQ\n\n### How does the cache work?\n\nDependi uses a hybrid caching system:\n- **Memory cache**: Fast access during the current session\n- **SQLite cache**: Persistent storage in the system cache directory:\n  - Linux: `~/.cache/dependi/cache.db`\n  - macOS: `~/Library/Caches/dependi/cache.db`\n  - Windows: `%LOCALAPPDATA%\\dependi\\cache.db`\n\nCache entries expire after 1 hour by default (configurable via `cache.ttl_secs`). Vulnerability data is cached for 6 hours. When you open a dependency file, cached data is used immediately while fresh data is fetched in the background.\n\n### How do I clear the cache?\n\nDelete the cache directory:\n```bash\n# Linux\nrm -rf ~/.cache/dependi/\n\n# macOS\nrm -rf ~/Library/Caches/dependi/\n\n# Windows\nrmdir /s %LOCALAPPDATA%\\dependi\n```\nThen restart Zed. The cache will rebuild as you open dependency files.\n\n### Can I use this offline?\n\nYes, with limitations. If packages were previously cached, their information remains available offline until the cache expires. New packages or those not in cache won't have version information. For fully offline work, consider increasing the cache TTL:\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"cache\": {\n          \"ttl_secs\": 86400\n        }\n      }\n    }\n  }\n}\n```\n\n### Which package registries are supported?\n\n| Language | Registry | URL |\n|----------|----------|-----|\n| Rust | crates.io (+ alternative registries) | https://crates.io |\n| JavaScript/TypeScript | npm | https://registry.npmjs.org |\n| Python | PyPI | https://pypi.org |\n| Go | Go Proxy | https://proxy.golang.org |\n| PHP | Packagist | https://packagist.org |\n| Dart/Flutter | pub.dev | https://pub.dev |\n| C#/.NET | NuGet | https://api.nuget.org |\n| Ruby | RubyGems | https://rubygems.org |\n\n### What data does the extension collect?\n\nDependi:\n- Fetches package metadata from public registries\n- Queries OSV.dev API for vulnerability information\n- Caches all data locally on your machine\n- Does **NOT** send your code, file contents, or personal data anywhere\n- Only makes requests to official package registries and OSV.dev\n\n### How does vulnerability scanning work?\n\nDependi queries the [OSV.dev](https://osv.dev) API (Google's Open Source Vulnerability database) for each of your dependencies. The results show:\n- **Severity levels**: Critical, High, Medium, Low\n- **CVE/Advisory IDs** in hover tooltips\n- **Diagnostic markers** in the editor\n\nConfigure minimum severity level with `security.min_severity`:\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"security\": {\n          \"min_severity\": \"high\"\n        }\n      }\n    }\n  }\n}\n```\n\n### How do I disable specific features?\n\nUse `initialization_options` in your Zed settings:\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"inlay_hints\": { \"enabled\": false },\n        \"diagnostics\": { \"enabled\": false },\n        \"security\": { \"enabled\": false }\n      }\n    }\n  }\n}\n```\n\n### How do I ignore certain packages?\n\nUse the `ignore` setting with glob patterns:\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"ignore\": [\"internal-*\", \"my-private-pkg\", \"@company/*\"]\n      }\n    }\n  }\n}\n```\n\n### Why do some packages show \"? Unknown\"?\n\nThis can happen when:\n- The package doesn't exist on the registry\n- Network request failed or timed out\n- Registry is temporarily unavailable\n- Package name has a typo\n\nCheck your network connection and verify the package exists on its registry.\n\n### Can I see outdated packages without inlay hints?\n\nYes! Even with inlay hints disabled, diagnostics will highlight outdated dependencies. Enable diagnostics in settings:\n```json\n{\n  \"lsp\": {\n    \"dependi\": {\n      \"initialization_options\": {\n        \"diagnostics\": { \"enabled\": true }\n      }\n    }\n  }\n}\n```\n\n### How do I report a bug or request a feature?\n\n1. Check [existing issues](https://github.com/mpiton/zed-dependi/issues) first\n2. Open a new issue with:\n   - Dependi version\n   - Zed version\n   - Operating system\n   - Steps to reproduce\n   - Expected vs actual behavior\n   - Relevant logs (`zed --foreground`)\n\n### How do I contribute?\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. Briefly:\n1. Fork the repository\n2. Create a feature branch\n3. Make changes and add tests\n4. Run `cargo test` and `cargo clippy`\n5. Submit a pull request\n\n## Roadmap\n\n- [x] **v0.1.0 (MVP)**: Cargo.toml + package.json support with inlay hints\n- [x] **v0.2.0**: Python/Go/PHP support, diagnostics, code actions, SQLite cache, configuration\n- [x] **v0.3.0**: Vulnerability detection (OSV.dev), Dart/Flutter and C#/.NET support\n- [x] **v1.0.0**: Published to Zed Extensions marketplace ✨\n\n## Contributing\n\nContributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed guidelines on:\n- Setting up your development environment\n- Code style and standards\n- Adding support for new languages\n- Submitting pull requests\n\n## License\n\nMIT - See [LICENSE](LICENSE)\n\n## Acknowledgments\n\n- Inspired by [Dependi for VS Code](https://github.com/filllabs/dependi)\n- Built with [tower-lsp](https://github.com/ebkalderon/tower-lsp)\n- Thanks to the Zed team for the excellent extension API\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpiton%2Fzed-dependi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmpiton%2Fzed-dependi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpiton%2Fzed-dependi/lists"}