https://github.com/harekrishnarai/depcheck
A CLI tool to identify SCA security vulnerabilities in packages and provide suggestions for upgrade versions, breaking changes, CVSS and advisories.
https://github.com/harekrishnarai/depcheck
breaking-changes cve identify-packages-upgrades patch-finder sca-tool software-supply-chain-security
Last synced: 3 months ago
JSON representation
A CLI tool to identify SCA security vulnerabilities in packages and provide suggestions for upgrade versions, breaking changes, CVSS and advisories.
- Host: GitHub
- URL: https://github.com/harekrishnarai/depcheck
- Owner: harekrishnarai
- License: mit
- Created: 2025-04-10T04:28:03.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-04-26T11:04:36.000Z (about 1 year ago)
- Last Synced: 2025-12-07T07:04:09.458Z (5 months ago)
- Topics: breaking-changes, cve, identify-packages-upgrades, patch-finder, sca-tool, software-supply-chain-security
- Language: Go
- Homepage:
- Size: 150 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# DepCheck
A CLI tool to check dependency versions across different package ecosystems and identify security vulnerabilities.
## Installation
```bash
go install github.com/harekrishnarai/depcheck@latest
```
## Usage
### Check a single package version
```bash
depcheck check express 4.18.2
```
### Check dependencies from a package file
```bash
depcheck file package.json
```
### Check dependencies directly from a lock file
```bash
depcheck file package-lock.json
```
## Supported Package Files
- Node.js
- package.json
- package-lock.json (improved accuracy with exact versions)
- yarn.lock
- npm-shrinkwrap.json
- Python (requirements.txt)
- More coming soon...
## Features
- Check if specific package versions exist
- Bulk check dependencies from package files
- Support for lock files for more accurate version information
- Transitive dependency analysis (detects nested dependencies)
- Security vulnerability scanning with accurate CVSS scores
- Detailed severity information from multiple sources (OSV.dev, deps.dev)
- Support for multiple package ecosystems
- Detailed version information
## Security Features
- Vulnerability scanning from multiple sources
- Accurate CVSS score parsing from vector strings
- Proper severity classification (Critical, High, Medium, Low)
- Detects deprecated packages
- Shows fixed version information
## Development
To build and run locally:
```bash
go build
./depcheck --help
```
## Recent Updates
- Added support for direct lock file analysis
- Implemented transitive dependency detection
- Enhanced CVSS vector parsing for accurate vulnerability scores
- Improved handling of GitHub Security Advisories