Score your project's dependency health before supply-chain risk scores you.
dephealth scans your Python project's dependency tree and produces a rich terminal report (or CI-compatible JSON) with per-dependency health scores covering maintenance activity, security posture, community signals, and license compatibility.
pip's CVE-2025-8869 (path traversal, 90-day exposure window) highlighted that developers have no quick way to assess the health of their dependency tree. Existing tools check for known CVEs but don't evaluate maintenance status, bus factor, or license risk holistically. Teams discover abandoned or risky dependencies only after incidents.
dephealth fills this gap with a single command.
pip install dephealth# Scan current project (auto-detects requirements.txt, pyproject.toml, or Pipfile)
dephealth scan
# Scan a specific requirements file
dephealth scan -r requirements.txt
# Fail CI if any dependency scores below grade C
dephealth scan --min-grade C
# Machine-readable JSON output
dephealth scan --format json
# Generate an HTML report
dephealth report --html report.htmlEach dependency receives scores in four categories, combined into a composite A-F grade:
| Category | Weight | What it measures |
|---|---|---|
| Maintenance | 35% | Last release date, release cadence, maintainer count (bus factor), commit activity |
| Security | 30% | Known CVEs from OSV database, vulnerability severity |
| Popularity | 15% | Download volume, GitHub stars, fork count |
| License | 20% | License type classification, copyleft detection, unknown license flagging |
| Grade | Score Range |
|---|---|
| A | 80-100 |
| B | 60-79 |
| C | 40-59 |
| D | 20-39 |
| F | 0-19 |
Scan dependencies and display health scores.
| Option | Description |
|---|---|
-r, --requirements PATH |
Path to dependency file (auto-detected if omitted) |
--min-grade GRADE |
Minimum acceptable grade (A-F). Exit code 1 if any dep falls below |
--format FORMAT |
Output format: table (default) or json |
--no-cache |
Disable API response caching |
--config PATH |
Path to .dephealth.toml config file |
Generate an HTML report.
| Option | Description |
|---|---|
--html PATH |
Output file path (default: report.html) |
-r, --requirements PATH |
Path to dependency file |
--config PATH |
Path to .dephealth.toml config file |
Create a .dephealth.toml in your project root to customize scoring weights and behavior:
cache_ttl_hours = 24
min_grade = "C"
github_token = "" # Optional: for higher GitHub API rate limits
[weights]
maintenance = 0.35
security = 0.30
popularity = 0.15
license = 0.20requirements.txt(including extras, version specifiers)pyproject.toml(PEP 621[project.dependencies])Pipfile([packages]section)
Auto-detection priority: requirements.txt > pyproject.toml > Pipfile
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- run: pip install dephealth
- run: dephealth scan --min-grade C --format jsondephealth exits with code 1 when any dependency falls below the minimum grade threshold, making it easy to gate CI pipelines.
- PyPI JSON API — Package metadata, release history, maintainer info
- GitHub REST API — Repository stats, commit activity, contributor count
- OSV Database — Known vulnerabilities for PyPI packages
API responses are cached locally in SQLite (~/.cache/dephealth/cache.db) for 24 hours by default to minimize rate limiting.
- Clone the repository
- Install dependencies:
uv sync - Run tests:
uv run pytest - Lint:
uv run ruff check . - Format:
uv run ruff format .
uv run pytest # Run tests
uv run pytest --cov # Run with coverage
uv run ruff check . # Lint
uv run ruff format . # Format
uv run dephealth scan # Run the tool locallyMIT License. See LICENSE for details.