@matthesketh/fleet 1.0.0 → 1.2.0

package/README.md

@@ -10,7 +10,7 @@
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.6-blue?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
 [![License](https://img.shields.io/github/license/wrxck/fleet)](LICENSE)
 
-Manages Docker Compose applications on a single server with systemd orchestration, nginx configuration, encrypted secrets, Git/GitHub workflows, health monitoring, and Telegram alerts.
+Manages Docker Compose applications on a single server with systemd orchestration, nginx configuration, encrypted secrets, Git/GitHub workflows, health monitoring, dependency tracking, and Telegram alerts.
 
 </div>
 
@@ -24,6 +24,7 @@ fleet CLI (TypeScript/Node.js)
 ├── MCP Server        Claude Code integration (fleet mcp)
 ├── Registry          App inventory (data/registry.json)
 ├── Secrets Vault     age-encrypted secrets (vault/*.age)
+├── Deps Monitor      Dependency health scanning + alerting
 └── Templates         systemd, nginx, gitignore generators
 
 fleet-bot (Go)
@@ -126,6 +127,19 @@ fleet watchdog                  # Check all services, send Telegram alert on fai
 }
 ```
 
+### Dependency health
+
+```bash
+fleet deps [app]                    # Summary dashboard or per-app detail
+fleet deps scan                     # Run fresh dependency scan
+fleet deps fix <app> [--dry-run]    # Create PR for fixable dependency updates
+fleet deps config                   # Show/set configuration
+fleet deps ignore <pkg> --reason .. # Suppress a finding
+fleet deps init                     # Install cron + MOTD for automated scanning
+```
+
+Scans all registered apps for outdated packages (npm, Composer, pip), Docker image updates, runtime EOL warnings (via endoflife.date), security vulnerabilities (via OSV API), and open dependency PRs on GitHub. Results are cached and surfaced via CLI, MOTD on SSH login, and Telegram notifications. Runs automatically every 6 hours via cron (configurable).
+
 ### Nginx management
 
 ```bash
@@ -204,7 +218,7 @@ The `onboard` command handles everything: initialises git if needed, creates a p
 
 Running `fleet mcp` starts a stdio-based [Model Context Protocol](https://modelcontextprotocol.io/) server. This exposes all fleet operations as tools that Claude Code (or any MCP client) can call.
 
-### Available tools (27)
+### Available tools (33)
 
 | Tool | Description |
 |------|-------------|
@@ -236,6 +250,12 @@ Running `fleet mcp` starts a stdio-based [Model Context Protocol](https://modelc
 | `fleet_git_pr_create` | Create a pull request |
 | `fleet_git_pr_list` | List pull requests |
 | `fleet_git_release` | Create develop -> main release PR |
+| `fleet_deps_status` | Dependency health summary from cache |
+| `fleet_deps_scan` | Run a fresh dependency scan |
+| `fleet_deps_app` | Dependency findings for a specific app |
+| `fleet_deps_fix` | Create PR with dependency updates (dry-run default) |
+| `fleet_deps_ignore` | Add an ignore rule for a finding |
+| `fleet_deps_config` | Get or set dependency monitoring config |
 
 ## fleet-bot
 
@@ -259,6 +279,7 @@ src/
 ├── commands/                CLI command implementations
 │   ├── add.ts               Register an app
 │   ├── deploy.ts            Full deploy pipeline
+│   ├── deps.ts              Dependency health monitoring
 │   ├── git.ts               Git/GitHub operations
 │   ├── health.ts            Health checks
 │   ├── init.ts              Auto-discover apps
@@ -286,11 +307,13 @@ src/
 │   ├── secrets.ts           Vault primitives (age encrypt/decrypt, backup/restore)
 │   ├── secrets-ops.ts       High-level secrets operations (safe seal, drift, validation)
 │   ├── secrets-validate.ts  Compose vs vault validation
-│   └── systemd.ts           systemctl operations
+│   ├── systemd.ts           systemctl operations
+│   └── deps/                Dependency health (collectors, reporters, actors)
 ├── mcp/
 │   ├── server.ts            MCP server setup + tool registration
 │   ├── git-tools.ts         Git-related MCP tools
-│   └── secrets-tools.ts     Secrets MCP tools (set, get, seal, drift, restore)
+│   ├── secrets-tools.ts     Secrets MCP tools (set, get, seal, drift, restore)
+│   └── deps-tools.ts        Dependency monitoring MCP tools
 ├── templates/
 │   ├── gitignore.ts         .gitignore generator
 │   ├── nginx.ts             Nginx config generator

package/dist/cli.js

@@ -12,6 +12,7 @@ import { nginxCommand } from './commands/nginx.js';
 import { secretsCommand } from './commands/secrets.js';
 import { gitCommand } from './commands/git.js';
 import { initCommand } from './commands/init.js';
+import { depsCommand } from './commands/deps.js';
 import { watchdogCommand } from './commands/watchdog.js';
 import { installMcpCommand } from './commands/install-mcp.js';
 import { startMcpServer } from './mcp/server.js';
@@ -30,6 +31,12 @@ Commands:
   restart <app>       Restart app via systemctl
   logs <app> [-f]     Container logs (follow mode with -f)
   health [app]        Health checks (systemd + container + HTTP)
+  deps [app]          Dependency health: outdated, CVEs, EOL, Docker
+  deps scan           Run fresh dependency scan
+  deps fix <app>      Create PR for fixable dependency updates
+  deps config         Show/set configuration
+  deps ignore <pkg>   Suppress a finding
+  deps init           Install cron + MOTD for automated scanning
   add <app-dir>       Register existing app
   remove <app>        Stop, disable, deregister
   nginx add <domain> --port <port> [--type proxy|spa|nextjs]
@@ -90,6 +97,7 @@ export async function run(argv) {
         case 'restart': return restartCommand(rest);
         case 'logs': return logsCommand(rest);
         case 'health': return healthCommand(rest);
+        case 'deps': return depsCommand(rest);
         case 'add': return addCommand(rest);
         case 'remove': return removeCommand(rest);
         case 'deploy': return deployCommand(rest);

package/dist/commands/deps.d.ts

@@ -0,0 +1 @@
+export declare function depsCommand(args: string[]): Promise<void>;

package/dist/commands/deps.js

@@ -0,0 +1,223 @@
+import { writeFileSync, chmodSync } from 'node:fs';
+import { load, findApp } from '../core/registry.js';
+import { loadConfig, saveConfig, configPath } from '../core/deps/config.js';
+import { loadCache, saveCache, isCacheStale, cachePath } from '../core/deps/cache.js';
+import { runScan } from '../core/deps/scanner.js';
+import { formatSummary, formatAppDetail } from '../core/deps/reporters/cli.js';
+import { formatMotd, generateMotdScript } from '../core/deps/reporters/motd.js';
+import { sendTelegramNotification, loadNotifiedFindings, saveNotifiedFindings, } from '../core/deps/reporters/telegram.js';
+import { createDepsPr } from '../core/deps/actors/pr-creator.js';
+import { AppNotFoundError } from '../core/errors.js';
+import { heading, success, error, info, warn } from '../ui/output.js';
+export async function depsCommand(args) {
+    const sub = args[0];
+    switch (sub) {
+        case 'scan': return depsScan(args.slice(1));
+        case 'fix': return depsFix(args.slice(1));
+        case 'config': return depsConfig(args.slice(1));
+        case 'ignore': return depsIgnore(args.slice(1));
+        case 'unignore': return depsUnignore(args.slice(1));
+        case 'init': return depsInit();
+        default: return depsShow(args);
+    }
+}
+async function depsShow(args) {
+    const json = args.includes('--json');
+    const motd = args.includes('--motd');
+    const severityFilter = extractFlag(args, '--severity');
+    const appName = args.find(a => !a.startsWith('-'));
+    const config = loadConfig();
+    const cache = loadCache();
+    const reg = load();
+    if (!cache) {
+        warn('No scan data found. Run: fleet deps scan');
+        return;
+    }
+    if (isCacheStale(cache, config.scanIntervalHours)) {
+        warn(`Scan data is stale (last scan: ${cache.lastScan}). Run: fleet deps scan`);
+    }
+    if (json) {
+        if (appName) {
+            const findings = cache.findings.filter(f => f.appName === appName);
+            process.stdout.write(JSON.stringify(findings, null, 2) + '\n');
+        }
+        else {
+            process.stdout.write(JSON.stringify(cache, null, 2) + '\n');
+        }
+        return;
+    }
+    if (motd) {
+        process.stdout.write(formatMotd(cache, reg.apps.length) + '\n');
+        return;
+    }
+    if (appName) {
+        const app = findApp(reg, appName);
+        if (!app)
+            throw new AppNotFoundError(appName);
+        let findings = cache.findings.filter(f => f.appName === app.name);
+        if (severityFilter) {
+            const sevs = severityFilter.split(',');
+            findings = findings.filter(f => sevs.includes(f.severity));
+        }
+        heading(`Deps: ${app.name}`);
+        const lines = formatAppDetail(app.name, findings);
+        for (const line of lines)
+            process.stdout.write(line + '\n');
+        process.stdout.write('\n');
+        return;
+    }
+    heading('Dependency Health');
+    let findings = cache.findings;
+    if (severityFilter) {
+        const sevs = severityFilter.split(',');
+        findings = findings.filter(f => sevs.includes(f.severity));
+    }
+    const summaryCache = { ...cache, findings };
+    const lines = formatSummary(summaryCache, reg.apps.length);
+    for (const line of lines)
+        process.stdout.write(line + '\n');
+    process.stdout.write('\n');
+}
+async function depsScan(args) {
+    const quiet = args.includes('--quiet');
+    const reg = load();
+    const config = loadConfig();
+    if (!quiet)
+        info('Scanning dependencies across all apps...');
+    const cache = await runScan(reg.apps, config);
+    saveCache(cache);
+    if (config.notifications.telegram.enabled) {
+        const previousFindings = loadNotifiedFindings();
+        const sent = await sendTelegramNotification(cache.findings, reg.apps.length, previousFindings, config.notifications.telegram.minSeverity);
+        if (sent) {
+            saveNotifiedFindings(cache.findings);
+            if (!quiet)
+                info('Telegram notification sent');
+        }
+    }
+    if (!quiet) {
+        success(`Scan complete: ${cache.findings.length} findings across ${reg.apps.length} apps (${cache.scanDurationMs}ms)`);
+        if (cache.errors.length > 0) {
+            warn(`${cache.errors.length} collector errors`);
+        }
+        process.stdout.write('\n');
+        heading('Dependency Health');
+        const lines = formatSummary(cache, reg.apps.length);
+        for (const line of lines)
+            process.stdout.write(line + '\n');
+        process.stdout.write('\n');
+    }
+}
+async function depsFix(args) {
+    const dryRun = args.includes('--dry-run');
+    const appName = args.find(a => !a.startsWith('-'));
+    if (!appName) {
+        error('Usage: fleet deps fix <app> [--dry-run] [--major]');
+        process.exit(1);
+    }
+    const reg = load();
+    const app = findApp(reg, appName);
+    if (!app)
+        throw new AppNotFoundError(appName);
+    const cache = loadCache();
+    if (!cache) {
+        error('No scan data. Run: fleet deps scan');
+        process.exit(1);
+    }
+    const findings = cache.findings.filter(f => f.appName === app.name && f.fixable);
+    if (findings.length === 0) {
+        info('No fixable findings for this app');
+        return;
+    }
+    const result = createDepsPr(app, findings, dryRun);
+    if (dryRun) {
+        heading(`Dry run: ${app.name}`);
+        info(`Would create branch: ${result.branch}`);
+        for (const bump of result.bumps) {
+            info(`  ${bump.file}: ${bump.search} -> ${bump.replace}`);
+        }
+        return;
+    }
+    if (result.prUrl) {
+        success(`PR created: ${result.prUrl}`);
+    }
+    else {
+        success(`Branch ${result.branch} pushed with ${result.bumps.length} updates`);
+    }
+}
+async function depsConfig(args) {
+    const config = loadConfig();
+    if (args.length === 0) {
+        process.stdout.write(JSON.stringify(config, null, 2) + '\n');
+        return;
+    }
+    if (args[0] === 'set' && args.length >= 3) {
+        const key = args[1];
+        const value = args[2];
+        const parsed = value === 'true' ? true : value === 'false' ? false : isNaN(Number(value)) ? value : Number(value);
+        config[key] = parsed;
+        saveConfig(config);
+        success(`Set ${key} = ${value}`);
+        return;
+    }
+    error('Usage: fleet deps config [set <key> <value>]');
+}
+async function depsIgnore(args) {
+    const pkg = args.find(a => !a.startsWith('-'));
+    const appName = extractFlag(args, '--app');
+    const reason = extractFlag(args, '--reason');
+    const until = extractFlag(args, '--until');
+    if (!pkg || !reason) {
+        error('Usage: fleet deps ignore <package> --reason "..." [--app <name>] [--until YYYY-MM-DD]');
+        process.exit(1);
+    }
+    const config = loadConfig();
+    config.ignore.push({
+        package: pkg,
+        ...(appName && { appName }),
+        reason,
+        ...(until && { until }),
+    });
+    saveConfig(config);
+    success(`Ignoring ${pkg}${appName ? ` for ${appName}` : ''}: ${reason}`);
+}
+async function depsUnignore(args) {
+    const pkg = args.find(a => !a.startsWith('-'));
+    const appName = extractFlag(args, '--app');
+    if (!pkg) {
+        error('Usage: fleet deps unignore <package> [--app <name>]');
+        process.exit(1);
+    }
+    const config = loadConfig();
+    config.ignore = config.ignore.filter(r => {
+        if (r.package !== pkg)
+            return true;
+        if (appName && r.appName !== appName)
+            return true;
+        return false;
+    });
+    saveConfig(config);
+    success(`Removed ignore rule for ${pkg}`);
+}
+async function depsInit() {
+    const config = loadConfig();
+    saveConfig(config);
+    success(`Config written to ${configPath()}`);
+    const motdPath = '/etc/update-motd.d/99-fleet-deps';
+    const script = generateMotdScript(cachePath());
+    writeFileSync(motdPath, script);
+    chmodSync(motdPath, 0o755);
+    success(`MOTD script installed at ${motdPath}`);
+    const cronLine = `0 */${config.scanIntervalHours} * * * root /usr/local/bin/fleet deps scan --quiet\n`;
+    writeFileSync('/etc/cron.d/fleet-deps', cronLine);
+    success(`Cron installed: every ${config.scanIntervalHours} hours`);
+    info('Running initial scan...');
+    await depsScan(['--quiet']);
+    success('Initial scan complete. Run: fleet deps');
+}
+function extractFlag(args, flag) {
+    const idx = args.indexOf(flag);
+    if (idx === -1 || idx + 1 >= args.length)
+        return undefined;
+    return args[idx + 1];
+}

package/dist/commands/motd.d.ts

@@ -0,0 +1 @@
+export declare function motdInstallCommand(): void;

package/dist/commands/motd.js

@@ -0,0 +1,10 @@
+import { writeFileSync, chmodSync } from 'node:fs';
+import { generateMotdScript } from '../templates/motd.js';
+import { success } from '../ui/output.js';
+const MOTD_PATH = '/etc/update-motd.d/50-fleet-status';
+export function motdInstallCommand() {
+    const script = generateMotdScript();
+    writeFileSync(MOTD_PATH, script);
+    chmodSync(MOTD_PATH, 0o755);
+    success(`Installed MOTD script at ${MOTD_PATH}`);
+}

package/dist/core/deps/actors/pr-creator.d.ts

@@ -0,0 +1,14 @@
+import type { AppEntry } from '../../registry.js';
+import type { Finding } from '../types.js';
+export interface VersionBump {
+    file: string;
+    search: string;
+    replace: string;
+}
+export declare function generateVersionBump(finding: Finding): VersionBump | null;
+export declare function buildPrBody(findings: Finding[]): string;
+export declare function createDepsPr(app: AppEntry, findings: Finding[], dryRun: boolean): {
+    branch: string;
+    bumps: VersionBump[];
+    prUrl?: string;
+};

package/dist/core/deps/actors/pr-creator.js

@@ -0,0 +1,103 @@
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { exec } from '../../exec.js';
+export function generateVersionBump(finding) {
+    if (!finding.fixable || !finding.package || !finding.currentVersion || !finding.latestVersion) {
+        return null;
+    }
+    switch (finding.source) {
+        case 'npm':
+            return {
+                file: 'package.json',
+                search: `"${finding.package}": "${finding.currentVersion}"`,
+                replace: `"${finding.package}": "${finding.latestVersion}"`,
+            };
+        case 'composer':
+            return {
+                file: 'composer.json',
+                search: `"${finding.package}": "${finding.currentVersion}"`,
+                replace: `"${finding.package}": "${finding.latestVersion}"`,
+            };
+        case 'pip':
+            return {
+                file: 'requirements.txt',
+                search: `${finding.package}==${finding.currentVersion}`,
+                replace: `${finding.package}==${finding.latestVersion}`,
+            };
+        case 'docker-image':
+            return {
+                file: 'Dockerfile',
+                search: `${finding.package}:${finding.currentVersion}`,
+                replace: `${finding.package}:${finding.latestVersion}`,
+            };
+        default:
+            return null;
+    }
+}
+export function buildPrBody(findings) {
+    const lines = [];
+    lines.push('## Dependency Updates\n');
+    lines.push('| Package | Current | Latest | Severity |');
+    lines.push('|---------|---------|--------|----------|');
+    for (const f of findings) {
+        lines.push(`| ${f.package ?? f.title} | ${f.currentVersion ?? '-'} | ${f.latestVersion ?? '-'} | ${f.severity} |`);
+    }
+    lines.push('');
+    lines.push('## Post-merge steps');
+    lines.push('');
+    const hasNpm = findings.some(f => f.source === 'npm');
+    const hasComposer = findings.some(f => f.source === 'composer');
+    const hasPip = findings.some(f => f.source === 'pip');
+    const hasDocker = findings.some(f => f.source === 'docker-image');
+    if (hasNpm)
+        lines.push('- [ ] Run `npm install` to update lockfile');
+    if (hasComposer)
+        lines.push('- [ ] Run `composer update` to update lockfile');
+    if (hasPip)
+        lines.push('- [ ] Run `pip install -r requirements.txt` to verify');
+    if (hasDocker)
+        lines.push('- [ ] Rebuild Docker image and test');
+    lines.push('- [ ] Run tests');
+    lines.push('');
+    lines.push('---');
+    lines.push('Generated by `fleet deps fix`');
+    return lines.join('\n');
+}
+export function createDepsPr(app, findings, dryRun) {
+    const fixable = findings.filter(f => f.fixable);
+    const bumps = fixable.map(generateVersionBump).filter((b) => b !== null);
+    if (bumps.length === 0) {
+        return { branch: '', bumps: [] };
+    }
+    const date = new Date().toISOString().split('T')[0];
+    const branch = `deps/${app.name}/${date}`;
+    if (dryRun) {
+        return { branch, bumps };
+    }
+    const sshEnv = { SSH_AUTH_SOCK: '/tmp/fleet-ssh-agent.sock' };
+    exec('git checkout develop', { cwd: app.composePath });
+    exec('git pull', { cwd: app.composePath, env: sshEnv });
+    exec(`git checkout -b ${branch}`, { cwd: app.composePath });
+    for (const bump of bumps) {
+        const filePath = join(app.composePath, bump.file);
+        if (!existsSync(filePath))
+            continue;
+        let content = readFileSync(filePath, 'utf-8');
+        content = content.replace(bump.search, bump.replace);
+        writeFileSync(filePath, content);
+    }
+    const files = [...new Set(bumps.map(b => b.file))];
+    exec(`git add ${files.join(' ')}`, { cwd: app.composePath });
+    const commitMsg = bumps.length === 1
+        ? `chore(deps): update ${fixable[0].package} from ${fixable[0].currentVersion} to ${fixable[0].latestVersion}`
+        : `chore(deps): update ${bumps.length} dependencies`;
+    exec(`git commit -m "${commitMsg}"`, { cwd: app.composePath });
+    exec(`git push -u origin ${branch}`, { cwd: app.composePath, env: sshEnv });
+    if (!app.gitRepo)
+        return { branch, bumps };
+    const prBody = buildPrBody(fixable);
+    const prTitle = `chore(deps): update dependencies (${date})`;
+    const prResult = exec(`gh pr create --repo ${app.gitRepo} --title "${prTitle}" --body "${prBody.replace(/"/g, '\\"')}" --base develop`, { cwd: app.composePath, env: sshEnv });
+    const prUrl = prResult.ok ? prResult.stdout.trim() : undefined;
+    return { branch, bumps, prUrl };
+}

package/dist/core/deps/cache.d.ts

@@ -0,0 +1,5 @@
+import type { DepsCache } from './types.js';
+export declare function loadCache(path?: string): DepsCache | null;
+export declare function saveCache(cache: DepsCache, path?: string): void;
+export declare function isCacheStale(cache: DepsCache | null, intervalHours: number): boolean;
+export declare function cachePath(): string;

package/dist/core/deps/cache.js

@@ -0,0 +1,28 @@
+import { readFileSync, writeFileSync, renameSync, existsSync, mkdirSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DEFAULT_CACHE_PATH = join(__dirname, '..', '..', '..', 'data', 'deps-cache.json');
+export function loadCache(path = DEFAULT_CACHE_PATH) {
+    if (!existsSync(path))
+        return null;
+    const raw = readFileSync(path, 'utf-8');
+    return JSON.parse(raw);
+}
+export function saveCache(cache, path = DEFAULT_CACHE_PATH) {
+    const dir = dirname(path);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    const tmpPath = path + '.tmp';
+    writeFileSync(tmpPath, JSON.stringify(cache, null, 2) + '\n');
+    renameSync(tmpPath, path);
+}
+export function isCacheStale(cache, intervalHours) {
+    if (!cache)
+        return true;
+    const age = Date.now() - new Date(cache.lastScan).getTime();
+    return age > intervalHours * 60 * 60 * 1000;
+}
+export function cachePath() {
+    return DEFAULT_CACHE_PATH;
+}

package/dist/core/deps/collectors/composer.d.ts

@@ -0,0 +1,12 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding, DepsConfig } from '../types.js';
+type SeverityOverrides = DepsConfig['severityOverrides'];
+export declare class ComposerCollector implements Collector {
+    private overrides;
+    type: "composer";
+    constructor(overrides: SeverityOverrides);
+    detect(appPath: string): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    private checkPackage;
+}
+export {};

package/dist/core/deps/collectors/composer.js

@@ -0,0 +1,70 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { severityFromVersionDelta } from '../severity.js';
+export class ComposerCollector {
+    overrides;
+    type = 'composer';
+    constructor(overrides) {
+        this.overrides = overrides;
+    }
+    detect(appPath) {
+        return existsSync(join(appPath, 'composer.json'));
+    }
+    async collect(app) {
+        const composerPath = join(app.composePath, 'composer.json');
+        if (!existsSync(composerPath))
+            return [];
+        const raw = readFileSync(composerPath, 'utf-8');
+        const composer = JSON.parse(raw);
+        const allDeps = {
+            ...composer.require,
+            ...composer['require-dev'],
+        };
+        const packages = Object.entries(allDeps).filter(([name]) => !name.startsWith('php') && !name.startsWith('ext-') && !name.startsWith('lib-'));
+        const findings = [];
+        const results = await Promise.allSettled(packages.map(([name, version]) => this.checkPackage(app.name, name, version)));
+        for (const result of results) {
+            if (result.status === 'fulfilled' && result.value) {
+                findings.push(result.value);
+            }
+        }
+        return findings;
+    }
+    async checkPackage(appName, name, currentRaw) {
+        const current = currentRaw.replace(/^[\^~>=<*]/, '').replace(/\.\*$/, '.0');
+        try {
+            const res = await fetch(`https://repo.packagist.org/p2/${name}.json`);
+            if (!res.ok)
+                return null;
+            const data = await res.json();
+            const versions = data.packages[name];
+            if (!versions?.length)
+                return null;
+            const stable = versions.find(v => /^\d+\.\d+\.\d+$/.test(v.version) || /^v\d+\.\d+\.\d+$/.test(v.version));
+            if (!stable)
+                return null;
+            const latest = stable.version.replace(/^v/, '');
+            if (current === latest)
+                return null;
+            const severity = severityFromVersionDelta(current, latest, this.overrides);
+            if (severity === 'info')
+                return null;
+            return {
+                appName,
+                source: 'composer',
+                severity,
+                category: 'outdated-dep',
+                title: `${name} ${current} -> ${latest}`,
+                detail: `Composer package ${name} can be updated from ${current} to ${latest}`,
+                package: name,
+                currentVersion: current,
+                latestVersion: latest,
+                fixable: true,
+                updatedAt: new Date().toISOString(),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/core/deps/collectors/docker-image.d.ts

@@ -0,0 +1,18 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding, DepsConfig } from '../types.js';
+type SeverityOverrides = DepsConfig['severityOverrides'];
+export interface ImageRef {
+    image: string;
+    tag: string;
+}
+export declare class DockerImageCollector implements Collector {
+    private overrides;
+    type: "docker-image";
+    constructor(overrides: SeverityOverrides);
+    detect(appPath: string): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    parseDockerfile(content: string): ImageRef[];
+    parseComposeImages(content: string): ImageRef[];
+    private checkImage;
+}
+export {};