π Version 0.2.5: DepGuardian is no longer just a CLI tool! Now featuring a Local GUI & Gemini AI-Powered Project Analysis! π
DepGuardian has leveled up! It's your comprehensive Python-powered assistant for monitoring, updating, and deeply analyzing your Node.js (NPM) project dependencies.
It meticulously checks for outdated packages, scans for known vulnerabilities using OSV.dev, and can automate Pull Request creation for straightforward updates. The major leap in this version is the integration of:
- A local web-based GUI π» for a more intuitive experience in managing and viewing reports.
- Agentic Project Analysis with the Gemini AI API π§ , allowing you to upload your entire project for in-depth insights into inter-dependency conflicts and receive AI-generated resolution strategies.
Scans your package.json and package-lock.json (v1, v2, v3 supported) to find direct dependencies that are out of date compared to the NPM registry's latest tag. Reports the installed version, latest available version, and whether the installed version satisfies the range specified in package.json.
Queries the Open Source Vulnerabilities (OSV) database (osv.dev) for any known vulnerabilities affecting your projectβs installed package versions (from package-lock.json).
Optionally, for the first outdated direct dependency found, DepGuardian can:
- Create a new git branch (e.g.,
depguardian/update-express-4.18.2). - Run
npm install <package>@<latest_version>. - Commit the
package.jsonandpackage-lock.jsonchanges. - Push the branch to your
originremote. - Open a Pull Request on GitHub targeting your repository's default branch.
Prerequisites for PR creation:
- A clean Git working directory.
git,node, andnpmcommands available in your PATH.- A GitHub Personal Access Token (with
reposcope) provided via--github-tokenorGITHUB_TOKEN. - The target GitHub repository specified via
--github-repoorGITHUB_REPOSITORY(inowner/repoformat).
- Holistic Project View: Upload your entire Node.js project (as a
.zipfile) directly through the DepGuardian GUI. - AI-Powered Insights: Provide your Gemini API Key. DepGuardian will:
- Perform its standard dependency and vulnerability scan on the uploaded project.
- Prepare a rich context including your
package.json,package-lock.json, the initial scan results, and any npm error output from simulated updates (if applicable in future enhancements). - Send this context to the Gemini API.
- Gemini analyzes for complex inter-dependency issues, potential version conflicts, and suggests actionable resolution strategies.
- Comprehensive Report: Receive a detailed JSON report (viewable in the GUI) combining DepGuardian's core findings with Gemini's expert analysis and recommendations.
- Launch with Ease: Start the local dashboard with a simple CLI command:
depg gui start. - AI Analysis Hub: The primary interface for initiating "Analyze Project with Gemini AI" by uploading your project ZIP and API key.
- Report Viewer: Upload and view standard JSON reports generated by
depg checkor the more comprehensive reports from the AI agent.
- Python 3.11+ (due to
google-generativeailibrary and other modern dependencies) - Node.js and npm (for interacting with Node.js projects and the
semver_checker.jshelper) - Git (for the automated PR creation feature)
- A Gemini API Key (for the AI-powered project analysis feature). You can obtain one from Google AI Studio
pip install dep-guardian==0.2.5git clone https://github.com/AbhayBhandarkar/DepGuardian.git
cd DepGuardian
# Create and activate a Python virtual environment (highly recommended)
python -m venv .venv
# On macOS/Linux:
source .venv/bin/activate
# On Windows (Command Prompt):
# .\.venv\Scripts\activate
# On Windows (PowerShell):
# .\.venv\Scripts\Activate.ps1
# Install all dependencies
pip install --upgrade pip
pip install -r requirements_dev.txt # Installs dev tools + runtime dependencies
pip install -e . # Installs DepGuardian in editable mode
# Install Node.js helper dependency (from DepGuardian's root package.json)
npm installNavigate to your Node.js project directory (which should contain package.json and package-lock.json).
depg checkdepg check --path /path/to/your/nodejs_project --json-report my_scan_report.jsonScanning project at: /path/to/your/project
Found 2 direct dependencies in package.json.
Found 158 installed packages in package-lock.json (v3).
--------------------
Checking Direct Dependencies against NPM Registry:
- Checking express (4.16.0)... Installed=4.16.0 | Latest=5.1.0 | satisfies range | Update available: 5.1.0
- Checking jest (^27.0.0)... Installed=27.5.1 | Latest=29.7.0 | satisfies range | Update available: 29.7.0
--------------------
Checking for Known Vulnerabilities (OSV API):
Querying OSV for 158 package versions...
OSV query complete. Found 0 vulnerabilities affecting 0 package versions.
No known vulnerabilities found in installed packages.
--------------------
Summary:
2 direct dependencies are outdated.
No vulnerabilities found.
DepGuardian check complete.
To attempt to update the first outdated direct dependency found by depg check and create a PR:
- Ensure the target project is a Git repository with a clean working directory.
- Set your GitHub Token:
export GITHUB_TOKEN="your_github_pat"
Run:
depg check --path /path/to/project --create-pr --github-repo YourUser/YourRepo --json-report pr_attempt.jsonThe pr_attempt.json will contain details of the update attempt, including npm error output if it fails (useful for later analysis).
--path /path/to/project: Specify the project directory.--json-report <filepath>: Save detailed results to a JSON file.--create-pr: Attempt to create a PR for the first outdated dependency.--github-repo <owner/repo>: Target repository for the PR.--github-token <token>: GitHub PAT for PR creation.--verboseor-v: Show more detailed debug logging.
The GUI is your new control center for AI-powered analysis and report viewing.
depg gui --port numberBy default, it runs on http://localhost:5001. Open this address in your web browser.
Analyze Project with Gemini AI:
- Navigate to the GUI (
http://localhost:5001). - Enter your Gemini API Key in the designated field.
- Upload your Node.js project folder as a single
.zipfile. - Click "Analyze with Gemini AI".
DepGuardian's backend (via the depg agent analyze-project CLI command) will:
- Perform its standard scan on the extracted project.
- Prepare a context including your
package.json,package-lock.json, and the scan results. - Send this context to the Gemini AI model using your provided API key.
- Gemini will analyze for inter-dependency issues, version conflicts, and suggest resolution strategies.
- A comprehensive report combining DepGuardian's findings and Gemini's insights will be generated and displayed in your browser. This process may take several minutes.
View Existing DepGuardian Report:
If you have a JSON report previously generated by depg check --json-report ..., you can upload it directly using the "View Existing DepGuardian Report" section on the GUI's main page.
The report details (outdated dependencies, vulnerabilities, etc.) will be displayed.
This is the powerful command that the GUI uses for its AI analysis feature. You can also run it directly from your terminal for scripting or more direct control.
Ensure your project folder is accessible on your filesystem.
Set your Gemini API Key (can also be passed as an option):
export GEMINI_API_KEY="YOUR_GEMINI_API_KEY"Run the command:
depg agent analyze-project \
--project-path /path/to/your/nodejs_project_folder \
--gemini-api-key "$GEMINI_API_KEY" \
--output-json ai_enhanced_report.json \
--verboseThis will generate ai_enhanced_report.json containing both the standard DepGuardian scan data and the detailed textual analysis from Gemini.
0: Operation completed successfully, and no issues (outdated/vulnerable) were found by the core scan.1: Operation completed, but issues (outdated/vulnerable) were found by the core scan, OR an error occurred during processing (e.g., API failure, file parsing error, LLM error). Check logs and the JSON report.2: CLI usage error (e.g., invalid command-line arguments).
git clone https://github.com/AbhayBhandarkar/DepGuardian.git
cd DepGuardian
# Create and activate a Python virtual environment (Python 3.9+ recommended)
python -m venv .venv
# On macOS/Linux:
source .venv/bin/activate
# On Windows (Command Prompt):
# .\.venv\Scripts\activate
# On Windows (PowerShell):
# .\.venv\Scripts\Activate.ps1
# Install development dependencies and DepGuardian in editable mode
pip install --upgrade pip
pip install -r requirements_dev.txt
pip install -e .
# Install Node.js helper dependency (for semver_checker.js)
npm install
# Check code formatting
black . --check # To check formatting
# black . # To automatically reformat files if needed
# Run tests
pytest
# Run the GUI locally for development (from the DepGuardian-1/dep_guardian/gui/ directory)
python app.pyDepGuardian is on a mission to become an indispensable DevOps companion! Here's what's on the horizon:
- π€ Enhanced LLM Interactivity & Actions:
- Allow follow-up questions to the LLM based on its initial analysis directly within the GUI.
- Explore LLM-suggested concrete code/configuration changes for
package.json(e.g., overrides, specific version pins) that users can review and apply. - Enable the LLM to perform targeted web searches for very specific, up-to-the-minute conflict resolutions.
- π³ Dockerization: Provide an official Docker image for DepGuardian (including the GUI and potentially a local LLM option like Ollama) for easy, consistent execution.
- π Expanded Ecosystem Support: Add support for other package managers and programming language ecosystems (e.g., Python's Pip, Java's Maven, RubyGems).
- βοΈ Advanced Update Strategies: More control over updates (patch/minor only, ignore lists, scheduling).
- π¦ Batch PR Creation / Grouped Updates: Create PRs for multiple outdated dependencies simultaneously or group related updates.