dep-brain 0.6.0 → 0.8.0

package/CHANGELOG.md

@@ -7,3 +7,7 @@ All notable changes to this project will be documented in this file.
 - Workspace-aware analysis for npm workspaces.
 - Config loading and CI policy controls.
 - Improved duplicate detection and unused dependency heuristics.
+- Actionable recommendations for unused, duplicate, outdated, and risk findings.
+- Ranked top-issues summary output with `--top`.
+- Supply-chain trust scoring for risk findings.
+- Structured risk factors in JSON output.

package/README.md

@@ -21,6 +21,7 @@
 - Detect likely unused dependencies from source imports and scripts
 - Detect outdated packages
 - Highlight dependency risk signals
+- Score package trust using supply-chain metadata
 - Generate a simple project health score
 - Output reports in human-readable or JSON format
 
@@ -53,6 +54,7 @@ dep-brain analyze
 npx dep-brain analyze
 npx dep-brain analyze --json
 npx dep-brain analyze --md
+npx dep-brain analyze --top
 npx dep-brain analyze ./path-to-project
 npx dep-brain analyze --config depbrain.config.json
 npx dep-brain analyze --min-score 90 --fail-on-risks
@@ -115,6 +117,14 @@ Output includes `outputVersion` for schema stability and can be validated with:
 dep-brain analyze --md
 ```
 
+## Top Issues Output
+
+```bash
+dep-brain analyze --top
+```
+
+Shows the highest-priority actionable findings first, including confidence and next-step guidance.
+
 ## Report From JSON
 
 ```bash
@@ -248,6 +258,8 @@ src/
 
 The project should optimize for trust, clarity, and actionability over flashy UI, generic graphs, or simply adding more checks.
 
+Risk findings now include a `trustScore` plus structured `riskFactors` such as publish recency, maintainer count, and repository presence.
+
 ## Repository Notes
 
 - Project brief: [docs/project-brief.md](./docs/project-brief.md)

package/depbrain.output.schema.json

@@ -2,9 +2,35 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "title": "Dependency Brain Analysis Output",
   "type": "object",
-  "required": ["outputVersion", "rootDir", "score", "scoreBreakdown", "policy", "duplicates", "unused", "outdated", "risks", "suggestions", "config"],
+  "required": ["outputVersion", "rootDir", "score", "scoreBreakdown", "policy", "duplicates", "unused", "outdated", "risks", "suggestions", "topIssues", "config"],
   "additionalProperties": false,
   "properties": {
+    "recommendation": {
+      "type": "object",
+      "required": ["action", "priority", "safety", "summary", "reasons"],
+      "additionalProperties": false,
+      "properties": {
+        "action": { "type": "string", "enum": ["remove", "consolidate", "upgrade", "review"] },
+        "priority": { "type": "string", "enum": ["high", "medium", "low"] },
+        "safety": { "type": "string", "enum": ["safe", "caution", "unknown"] },
+        "summary": { "type": "string" },
+        "reasons": { "type": "array", "items": { "type": "string" } }
+      }
+    },
+    "riskFactors": {
+      "type": "object",
+      "required": ["daysSincePublish", "downloads", "maintainersCount", "versionCount", "recentReleaseCount", "hasRepository", "dependencyType"],
+      "additionalProperties": false,
+      "properties": {
+        "daysSincePublish": { "type": ["number", "null"] },
+        "downloads": { "type": ["number", "null"] },
+        "maintainersCount": { "type": ["number", "null"] },
+        "versionCount": { "type": ["number", "null"] },
+        "recentReleaseCount": { "type": ["number", "null"] },
+        "hasRepository": { "type": "boolean" },
+        "dependencyType": { "type": "string", "enum": ["dependencies", "devDependencies", "unknown"] }
+      }
+    },
     "outputVersion": { "type": "string" },
     "rootDir": { "type": "string" },
     "score": { "type": "number" },
@@ -44,7 +70,7 @@
       "type": "array",
       "items": {
         "type": "object",
-        "required": ["name", "versions", "instances", "confidence", "reasonCodes", "explanation"],
+        "required": ["name", "versions", "instances", "confidence", "reasonCodes", "explanation", "recommendation"],
         "additionalProperties": false,
         "properties": {
           "name": { "type": "string" },
@@ -52,6 +78,7 @@
           "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
           "reasonCodes": { "type": "array", "items": { "type": "string" } },
           "explanation": { "type": "array", "items": { "type": "string" } },
+          "recommendation": { "$ref": "#/properties/recommendation" },
           "instances": {
             "type": "array",
             "items": {
@@ -71,7 +98,7 @@
       "type": "array",
       "items": {
         "type": "object",
-        "required": ["name", "section", "confidence", "reasonCodes", "explanation"],
+        "required": ["name", "section", "confidence", "reasonCodes", "explanation", "recommendation"],
         "additionalProperties": false,
         "properties": {
           "name": { "type": "string" },
@@ -79,7 +106,8 @@
           "package": { "type": "string" },
           "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
           "reasonCodes": { "type": "array", "items": { "type": "string" } },
-          "explanation": { "type": "array", "items": { "type": "string" } }
+          "explanation": { "type": "array", "items": { "type": "string" } },
+          "recommendation": { "$ref": "#/properties/recommendation" }
         }
       }
     },
@@ -87,7 +115,7 @@
       "type": "array",
       "items": {
         "type": "object",
-        "required": ["name", "current", "latest", "updateType", "confidence", "reasonCodes", "explanation"],
+        "required": ["name", "current", "latest", "updateType", "confidence", "reasonCodes", "explanation", "recommendation"],
         "additionalProperties": false,
         "properties": {
           "name": { "type": "string" },
@@ -97,7 +125,8 @@
           "package": { "type": "string" },
           "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
           "reasonCodes": { "type": "array", "items": { "type": "string" } },
-          "explanation": { "type": "array", "items": { "type": "string" } }
+          "explanation": { "type": "array", "items": { "type": "string" } },
+          "recommendation": { "$ref": "#/properties/recommendation" }
         }
       }
     },
@@ -105,7 +134,7 @@
       "type": "array",
       "items": {
         "type": "object",
-        "required": ["name", "reasons", "confidence", "reasonCodes", "explanation"],
+        "required": ["name", "reasons", "confidence", "reasonCodes", "explanation", "trustScore", "riskFactors", "recommendation"],
         "additionalProperties": false,
         "properties": {
           "name": { "type": "string" },
@@ -113,11 +142,32 @@
           "package": { "type": "string" },
           "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
           "reasonCodes": { "type": "array", "items": { "type": "string" } },
-          "explanation": { "type": "array", "items": { "type": "string" } }
+          "explanation": { "type": "array", "items": { "type": "string" } },
+          "trustScore": { "type": "string", "enum": ["high", "medium", "low"] },
+          "riskFactors": { "$ref": "#/properties/riskFactors" },
+          "recommendation": { "$ref": "#/properties/recommendation" }
         }
       }
     },
     "suggestions": { "type": "array", "items": { "type": "string" } },
+    "topIssues": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["kind", "name", "priority", "confidence", "summary", "recommendation"],
+        "additionalProperties": false,
+        "properties": {
+          "kind": { "type": "string", "enum": ["unused", "duplicate", "outdated", "risk"] },
+          "name": { "type": "string" },
+          "package": { "type": "string" },
+          "priority": { "type": "string", "enum": ["high", "medium", "low"] },
+          "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
+          "summary": { "type": "string" },
+          "trustScore": { "type": "string", "enum": ["high", "medium", "low"] },
+          "recommendation": { "$ref": "#/properties/recommendation" }
+        }
+      }
+    },
     "config": { "type": "object" },
     "packages": { "type": "array" }
   }

package/dist/checks/duplicate.js

@@ -12,11 +12,27 @@ export async function findDuplicateDependencies(graph) {
         explanation: [
             `Multiple versions of ${name} were found in the lockfile.`,
             "The package is installed from more than one dependency path."
-        ]
+        ],
+        recommendation: buildDuplicateRecommendation(Array.from(new Set(instances.map((instance) => instance.version))).sort(), instances.length)
     }))
         .filter((dependency) => dependency.versions.length > 1)
         .sort((left, right) => left.name.localeCompare(right.name));
 }
+function buildDuplicateRecommendation(versions, instanceCount) {
+    const targetVersion = versions[versions.length - 1];
+    return {
+        action: "consolidate",
+        priority: versions.length >= 3 ? "high" : "medium",
+        safety: "caution",
+        summary: targetVersion
+            ? `Consolidate toward ${targetVersion}; ${instanceCount} installation paths are affected.`
+            : "Consolidate duplicate versions to a single target version.",
+        reasons: [
+            "Multiple versions of the same package were detected in the lockfile.",
+            "Consolidating versions can reduce drift and simplify upgrades."
+        ]
+    };
+}
 export async function runDuplicateCheck(graph) {
     const duplicates = await findDuplicateDependencies(graph);
     return {

package/dist/checks/outdated.js

@@ -11,26 +11,45 @@ export async function findOutdatedDependencies(graph, options = {}) {
         if (!latest || latest === normalized) {
             return null;
         }
+        const updateType = classifyUpdateType(normalized, latest);
         return {
             name,
             current,
             latest,
-            updateType: classifyUpdateType(normalized, latest),
+            updateType,
             confidence: 0.97,
             reasonCodes: [
                 "latest_registry_version_newer",
-                `update_type_${classifyUpdateType(normalized, latest)}`
+                `update_type_${updateType}`
             ],
             explanation: [
                 "The npm registry reports a newer published version than the one declared in this project.",
-                `The change is classified as a ${classifyUpdateType(normalized, latest)} update.`
-            ]
+                `The change is classified as a ${updateType} update.`
+            ],
+            recommendation: buildOutdatedRecommendation(updateType)
         };
     }));
     return results
         .filter((item) => item !== null)
         .sort((left, right) => left.name.localeCompare(right.name));
 }
+function buildOutdatedRecommendation(updateType) {
+    return {
+        action: "upgrade",
+        priority: updateType === "major" ? "high" : updateType === "minor" ? "medium" : "low",
+        safety: updateType === "patch" ? "safe" : updateType === "minor" ? "caution" : "unknown",
+        summary: updateType === "major"
+            ? "New major version available; review breaking changes before upgrading."
+            : updateType === "minor"
+                ? "New minor version available; review release notes before upgrading."
+                : updateType === "patch"
+                    ? "Routine patch update available."
+                    : "Newer version available; review upgrade impact.",
+        reasons: [
+            "A newer published version is available in the registry."
+        ]
+    };
+}
 export async function runOutdatedCheck(graph) {
     const outdated = await findOutdatedDependencies(graph);
     return {

package/dist/checks/risk.d.ts

@@ -1,5 +1,9 @@
 import type { DependencyGraph } from "../core/graph-builder.js";
 import type { RiskDependency } from "../core/analyzer.js";
 import type { CheckResult } from "../core/types.js";
-export declare function findRiskDependencies(graph: DependencyGraph): Promise<RiskDependency[]>;
+import { type PackageMetadata } from "../utils/npm-api.js";
+export interface RiskCheckOptions {
+    resolvePackageMetadata?: (name: string) => Promise<PackageMetadata | null>;
+}
+export declare function findRiskDependencies(graph: DependencyGraph, options?: RiskCheckOptions): Promise<RiskDependency[]>;
 export declare function runRiskCheck(graph: DependencyGraph): Promise<CheckResult>;

package/dist/checks/risk.js

@@ -1,34 +1,35 @@
 import { getPackageMetadata } from "../utils/npm-api.js";
 const TWO_YEARS_IN_DAYS = 365 * 2;
-export async function findRiskDependencies(graph) {
+const ONE_YEAR_IN_DAYS = 365;
+export async function findRiskDependencies(graph, options = {}) {
+    const resolvePackageMetadata = options.resolvePackageMetadata ?? getPackageMetadata;
     const names = Object.keys({
         ...graph.dependencies,
         ...graph.devDependencies
     });
     const results = await Promise.all(names.map(async (name) => {
-        const metadata = await getPackageMetadata(name);
-        const reasons = [];
+        const metadata = await resolvePackageMetadata(name);
         if (!metadata) {
             return null;
         }
-        if (metadata.daysSincePublish !== null && metadata.daysSincePublish > TWO_YEARS_IN_DAYS) {
-            reasons.push("No release in over 2 years");
-        }
-        if (metadata.downloads !== null && metadata.downloads < 1000) {
-            reasons.push("Low weekly download volume");
-        }
-        if (!metadata.repository) {
-            reasons.push("Missing repository metadata");
-        }
-        if (reasons.length === 0) {
+        const dependencyType = graph.dependencies[name]
+            ? "dependencies"
+            : graph.devDependencies[name]
+                ? "devDependencies"
+                : "unknown";
+        const assessment = assessRisk(metadata, dependencyType);
+        if (assessment.reasons.length === 0) {
             return null;
         }
         return {
             name,
-            reasons,
-            confidence: calculateRiskConfidence(reasons),
-            reasonCodes: reasons.map(toRiskReasonCode),
-            explanation: reasons
+            reasons: assessment.reasons,
+            confidence: assessment.confidence,
+            reasonCodes: assessment.reasonCodes,
+            explanation: assessment.reasons,
+            trustScore: assessment.trustScore,
+            riskFactors: assessment.riskFactors,
+            recommendation: buildRiskRecommendation(assessment.reasons, assessment.confidence, assessment.trustScore)
         };
     }));
     return results
@@ -43,24 +44,89 @@ export async function runRiskCheck(graph) {
         issues: risks.map((item) => ({
             id: `risk:${item.name}`,
             message: `${item.name}: ${item.reasons.join("; ")}`,
-            severity: "warning",
+            severity: item.trustScore === "low"
+                ? "critical"
+                : item.trustScore === "medium"
+                    ? "warning"
+                    : "info",
             confidence: item.confidence,
             reasonCodes: item.reasonCodes,
             explanation: item.explanation,
             meta: {
                 name: item.name,
-                reasons: item.reasons
+                reasons: item.reasons,
+                trustScore: item.trustScore,
+                riskFactors: item.riskFactors
             }
         }))
     };
 }
-function calculateRiskConfidence(reasons) {
-    return Math.min(0.99, 0.55 + reasons.length * 0.12);
+function assessRisk(metadata, dependencyType) {
+    const reasons = [];
+    const reasonCodes = [];
+    let weight = 0;
+    if (metadata.daysSincePublish !== null && metadata.daysSincePublish > TWO_YEARS_IN_DAYS) {
+        reasons.push("No release in over 2 years");
+        reasonCodes.push("stale_release");
+        weight += 3;
+    }
+    else if (metadata.daysSincePublish !== null &&
+        metadata.daysSincePublish > ONE_YEAR_IN_DAYS) {
+        reasons.push("No release in over 12 months");
+        reasonCodes.push("aging_release");
+        weight += 2;
+    }
+    if (metadata.downloads !== null && metadata.downloads < 1000) {
+        reasons.push("Low weekly download volume");
+        reasonCodes.push("low_download_volume");
+        weight += 2;
+    }
+    if (!metadata.repository) {
+        reasons.push("Missing repository metadata");
+        reasonCodes.push("missing_repository_metadata");
+        weight += 2;
+    }
+    if (metadata.maintainersCount !== null && metadata.maintainersCount <= 1) {
+        reasons.push("Single maintainer package");
+        reasonCodes.push("single_maintainer");
+        weight += 2;
+    }
+    if (metadata.recentReleaseCount !== null && metadata.recentReleaseCount === 0) {
+        reasons.push("No releases published in the last 30 days");
+        reasonCodes.push("no_recent_release");
+        weight += 1;
+    }
+    if (metadata.versionCount !== null && metadata.versionCount <= 3) {
+        reasons.push("Very limited published version history");
+        reasonCodes.push("limited_version_history");
+        weight += 1;
+    }
+    const confidence = reasons.length === 0 ? 0.5 : Math.min(0.99, 0.52 + weight * 0.07);
+    const trustScore = weight >= 6 ? "low" : weight >= 3 ? "medium" : "high";
+    return {
+        confidence,
+        trustScore,
+        reasons,
+        reasonCodes,
+        riskFactors: {
+            daysSincePublish: metadata.daysSincePublish,
+            downloads: metadata.downloads,
+            maintainersCount: metadata.maintainersCount,
+            versionCount: metadata.versionCount,
+            recentReleaseCount: metadata.recentReleaseCount,
+            hasRepository: Boolean(metadata.repository),
+            dependencyType
+        }
+    };
 }
-function toRiskReasonCode(reason) {
-    const normalized = reason
-        .toLowerCase()
-        .replace(/[^a-z0-9]+/g, "_")
-        .replace(/^_+|_+$/g, "");
-    return normalized || "risk_signal_detected";
+function buildRiskRecommendation(reasons, confidence, trustScore) {
+    return {
+        action: "review",
+        priority: trustScore === "low" || confidence >= 0.8 ? "high" : "medium",
+        safety: "caution",
+        summary: trustScore === "low"
+            ? "Low trust package; review whether to replace, pin, or monitor it closely."
+            : "Review package trust signals and decide whether to keep, replace, or monitor it.",
+        reasons
+    };
 }

package/dist/checks/unused.js

@@ -144,6 +144,22 @@ function buildUnusedDependency(name, section) {
             "No import or require usage was found in scanned source files.",
             "No matching reference was found in recognized config files.",
             "No matching binary or package reference was found in package scripts."
+        ],
+        recommendation: buildUnusedRecommendation(section)
+    };
+}
+function buildUnusedRecommendation(section) {
+    const safety = section === "devDependencies" ? "safe" : "caution";
+    return {
+        action: "remove",
+        priority: section === "dependencies" ? "high" : "medium",
+        safety,
+        summary: safety === "safe"
+            ? `Safe to remove from ${section}.`
+            : `Likely removable from ${section}, but review before deleting.`,
+        reasons: [
+            "No code usage was found in scanned files.",
+            "No config or script reference was detected."
         ]
     };
 }

package/dist/cli.js

@@ -51,9 +51,11 @@ async function main() {
                 const resolvedFrom = resolveUserPath(fromPath);
                 const raw = await fs.readFile(resolvedFrom, "utf8");
                 const reportData = JSON.parse(raw);
-                const output = flags.has("--json")
-                    ? JSON.stringify(reportData, null, 2)
-                    : renderMarkdownReport(reportData);
+                const output = flags.has("--top")
+                    ? renderTopIssuesReport(reportData)
+                    : flags.has("--json")
+                        ? JSON.stringify(reportData, null, 2)
+                        : renderMarkdownReport(reportData);
                 await writeOutput(output, optionValues.get("--out"));
                 return;
             }
@@ -107,6 +109,9 @@ async function main() {
         if (flags.has("--json")) {
             output = renderJsonReport(result);
         }
+        else if (flags.has("--top")) {
+            output = renderTopIssuesReport(result);
+        }
         else if (flags.has("--md")) {
             output = renderMarkdownReport(result);
         }
@@ -173,8 +178,8 @@ function printHelp() {
     console.log("Dependency Brain");
     console.log("");
     console.log("Usage:");
-    console.log("  dep-brain analyze [path] [--json] [--md] [--out path] [--config path] [--min-score n] [--fail-on-risks] [--fail-on-outdated] [--fail-on-unused] [--fail-on-duplicates]");
-    console.log("  dep-brain report --from <file> [--md] [--json] [--out path]");
+    console.log("  dep-brain analyze [path] [--json] [--md] [--top] [--out path] [--config path] [--min-score n] [--fail-on-risks] [--fail-on-outdated] [--fail-on-unused] [--fail-on-duplicates]");
+    console.log("  dep-brain report --from <file> [--md] [--json] [--top] [--out path]");
     console.log("  dep-brain config [path] [--config path]");
     console.log("  dep-brain help");
     console.log("  dep-brain --version");
@@ -182,6 +187,7 @@ function printHelp() {
     console.log("Options:");
     console.log("  --json              Output JSON for analysis");
     console.log("  --md                Output Markdown report");
+    console.log("  --top               Output the ranked top issues only");
     console.log("  --config <path>     Path to depbrain.config.json");
     console.log("  --from <file>       Read analysis JSON from file");
     console.log("  --out <path>        Write output to a file");
@@ -218,3 +224,18 @@ function sanitizeForLog(value) {
 function resolveUserPath(value) {
     return path.resolve(process.cwd(), value);
 }
+function renderTopIssuesReport(result) {
+    const lines = [];
+    lines.push("Top Issues");
+    lines.push("");
+    if (!Array.isArray(result.topIssues) || result.topIssues.length === 0) {
+        lines.push("No actionable issues found.");
+        return lines.join("\n");
+    }
+    for (const [index, item] of result.topIssues.entries()) {
+        lines.push(`${index + 1}. [${item.priority.toUpperCase()}] ${item.kind} ${item.name}${item.package ? ` [${item.package}]` : ""}`);
+        lines.push(`   Confidence: ${Math.round(item.confidence * 100)}%`);
+        lines.push(`   Next: ${item.recommendation.summary}`);
+    }
+    return lines.join("\n");
+}

package/dist/core/analyzer.d.ts

@@ -8,6 +8,23 @@ export interface DuplicateInstance {
     path: string;
     version: string;
 }
+export interface Recommendation {
+    action: "remove" | "consolidate" | "upgrade" | "review";
+    priority: "high" | "medium" | "low";
+    safety: "safe" | "caution" | "unknown";
+    summary: string;
+    reasons: string[];
+}
+export interface RiskFactors {
+    daysSincePublish: number | null;
+    downloads: number | null;
+    maintainersCount: number | null;
+    versionCount: number | null;
+    recentReleaseCount: number | null;
+    hasRepository: boolean;
+    dependencyType: "dependencies" | "devDependencies" | "unknown";
+}
+export type TrustScore = "high" | "medium" | "low";
 export interface DuplicateDependency {
     name: string;
     versions: string[];
@@ -15,6 +32,7 @@ export interface DuplicateDependency {
     confidence: number;
     reasonCodes: string[];
     explanation: string[];
+    recommendation: Recommendation;
 }
 export interface UnusedDependency {
     name: string;
@@ -23,6 +41,7 @@ export interface UnusedDependency {
     confidence: number;
     reasonCodes: string[];
     explanation: string[];
+    recommendation: Recommendation;
 }
 export interface OutdatedDependency {
     name: string;
@@ -33,6 +52,7 @@ export interface OutdatedDependency {
     confidence: number;
     reasonCodes: string[];
     explanation: string[];
+    recommendation: Recommendation;
 }
 export interface RiskDependency {
     name: string;
@@ -41,6 +61,19 @@ export interface RiskDependency {
     confidence: number;
     reasonCodes: string[];
     explanation: string[];
+    trustScore: TrustScore;
+    riskFactors: RiskFactors;
+    recommendation: Recommendation;
+}
+export interface TopIssue {
+    kind: "unused" | "duplicate" | "outdated" | "risk";
+    name: string;
+    package?: string;
+    priority: "high" | "medium" | "low";
+    confidence: number;
+    summary: string;
+    trustScore?: TrustScore;
+    recommendation: Recommendation;
 }
 export interface AnalysisResult {
     outputVersion: string;
@@ -53,6 +86,7 @@ export interface AnalysisResult {
     outdated: OutdatedDependency[];
     risks: RiskDependency[];
     suggestions: string[];
+    topIssues: TopIssue[];
     config: DepBrainConfig;
     packages?: PackageAnalysisResult[];
 }
@@ -71,8 +105,9 @@ export interface PackageAnalysisResult {
     outdated: OutdatedDependency[];
     risks: RiskDependency[];
     suggestions: string[];
+    topIssues: TopIssue[];
 }
-export declare const OUTPUT_VERSION = "1.1";
+export declare const OUTPUT_VERSION = "1.3";
 export interface ScoreBreakdown {
     baseScore: number;
     duplicates: number;

package/dist/core/analyzer.js

@@ -8,7 +8,7 @@ import { findWorkspacePackages } from "../utils/workspaces.js";
 import { buildDependencyGraph } from "./graph-builder.js";
 import { calculateHealthScore } from "./scorer.js";
 import { buildAnalysisContext } from "./context.js";
-export const OUTPUT_VERSION = "1.1";
+export const OUTPUT_VERSION = "1.3";
 export async function analyzeProject(options = {}) {
     const rootDir = path.resolve(options.rootDir ?? process.cwd());
     const loadedConfig = await loadDepBrainConfig(rootDir, options.configPath);
@@ -68,6 +68,7 @@ export async function analyzeProject(options = {}) {
         outdated,
         risks,
         suggestions,
+        topIssues: buildTopIssues({ duplicates, unused, outdated, risks }),
         config,
         packages
     };
@@ -186,6 +187,12 @@ async function analyzeSingleProject(rootDir, config, options = {}) {
         outdated: scopedOutdated,
         risks: scopedRisks,
         suggestions,
+        topIssues: buildTopIssues({
+            duplicates,
+            unused: scopedUnused,
+            outdated: scopedOutdated,
+            risks: scopedRisks
+        }),
         config
     };
 }
@@ -267,7 +274,8 @@ function mapDuplicateIssues(issues) {
             : [],
         confidence: normalizeConfidence(issue.confidence),
         reasonCodes: normalizeStringArray(issue.reasonCodes),
-        explanation: normalizeStringArray(issue.explanation)
+        explanation: normalizeStringArray(issue.explanation),
+        recommendation: buildDuplicateRecommendation(issue)
     }));
 }
 function mapUnusedIssues(issues) {
@@ -276,7 +284,8 @@ function mapUnusedIssues(issues) {
         section: issue.meta?.section === "devDependencies" ? "devDependencies" : "dependencies",
         confidence: normalizeConfidence(issue.confidence),
         reasonCodes: normalizeStringArray(issue.reasonCodes),
-        explanation: normalizeStringArray(issue.explanation)
+        explanation: normalizeStringArray(issue.explanation),
+        recommendation: buildUnusedRecommendation(issue)
     }));
 }
 function mapOutdatedIssues(issues) {
@@ -289,7 +298,8 @@ function mapOutdatedIssues(issues) {
             : "unknown",
         confidence: normalizeConfidence(issue.confidence),
         reasonCodes: normalizeStringArray(issue.reasonCodes),
-        explanation: normalizeStringArray(issue.explanation)
+        explanation: normalizeStringArray(issue.explanation),
+        recommendation: buildOutdatedRecommendation(issue)
     }));
 }
 function mapRiskIssues(issues) {
@@ -298,9 +308,135 @@ function mapRiskIssues(issues) {
         reasons: Array.isArray(issue.meta?.reasons) ? issue.meta?.reasons : [],
         confidence: normalizeConfidence(issue.confidence),
         reasonCodes: normalizeStringArray(issue.reasonCodes),
-        explanation: normalizeStringArray(issue.explanation)
+        explanation: normalizeStringArray(issue.explanation),
+        trustScore: normalizeTrustScore(issue.meta?.trustScore),
+        riskFactors: normalizeRiskFactors(issue.meta?.riskFactors),
+        recommendation: buildRiskRecommendation(issue)
     }));
 }
+function buildUnusedRecommendation(issue) {
+    const confidence = normalizeConfidence(issue.confidence);
+    const section = issue.meta?.section === "devDependencies" ? "devDependencies" : "dependencies";
+    const safety = section === "devDependencies" || confidence >= 0.88
+        ? "safe"
+        : confidence >= 0.7
+            ? "caution"
+            : "unknown";
+    return {
+        action: "remove",
+        priority: confidence >= 0.88 ? "high" : "medium",
+        safety,
+        summary: safety === "safe"
+            ? `Safe to remove from ${section}.`
+            : safety === "caution"
+                ? `Likely removable from ${section}, but review before deleting.`
+                : `Potentially removable from ${section}, but evidence is limited.`,
+        reasons: normalizeStringArray(issue.explanation)
+    };
+}
+function buildDuplicateRecommendation(issue) {
+    const versions = Array.isArray(issue.meta?.versions) ? issue.meta.versions : [];
+    const targetVersion = versions[versions.length - 1];
+    const instances = Array.isArray(issue.meta?.instances) ? issue.meta.instances.length : 0;
+    return {
+        action: "consolidate",
+        priority: versions.length >= 3 ? "high" : "medium",
+        safety: "caution",
+        summary: targetVersion
+            ? `Consolidate toward ${targetVersion}; ${instances} installation paths are affected.`
+            : "Consolidate duplicate versions to a single target version.",
+        reasons: normalizeStringArray(issue.explanation)
+    };
+}
+function buildOutdatedRecommendation(issue) {
+    const updateType = issue.meta?.updateType === "major" ||
+        issue.meta?.updateType === "minor" ||
+        issue.meta?.updateType === "patch"
+        ? issue.meta.updateType
+        : "unknown";
+    const priority = updateType === "major" ? "high" : updateType === "minor" ? "medium" : "low";
+    const safety = updateType === "patch" ? "safe" : updateType === "minor" ? "caution" : "unknown";
+    return {
+        action: "upgrade",
+        priority,
+        safety,
+        summary: updateType === "major"
+            ? "New major version available; review breaking changes before upgrading."
+            : updateType === "minor"
+                ? "New minor version available; review release notes before upgrading."
+                : updateType === "patch"
+                    ? "Routine patch update available."
+                    : "Newer version available; review upgrade impact.",
+        reasons: normalizeStringArray(issue.explanation)
+    };
+}
+function buildRiskRecommendation(issue) {
+    const reasons = normalizeStringArray(issue.explanation);
+    const confidence = normalizeConfidence(issue.confidence);
+    const trustScore = normalizeTrustScore(issue.meta?.trustScore);
+    return {
+        action: "review",
+        priority: trustScore === "low" || confidence >= 0.79 ? "high" : "medium",
+        safety: "caution",
+        summary: trustScore === "low"
+            ? "Low trust package; review whether to replace, pin, or monitor it closely."
+            : "Review package trust signals and decide whether to keep, replace, or monitor it.",
+        reasons
+    };
+}
+function buildTopIssues(input) {
+    const issues = [
+        ...input.unused.map((item) => ({
+            kind: "unused",
+            name: item.name,
+            package: item.package,
+            priority: item.recommendation.priority,
+            confidence: item.confidence,
+            summary: item.recommendation.summary,
+            recommendation: item.recommendation
+        })),
+        ...input.duplicates.map((item) => ({
+            kind: "duplicate",
+            name: item.name,
+            priority: item.recommendation.priority,
+            confidence: item.confidence,
+            summary: item.recommendation.summary,
+            recommendation: item.recommendation
+        })),
+        ...input.outdated.map((item) => ({
+            kind: "outdated",
+            name: item.name,
+            package: item.package,
+            priority: item.recommendation.priority,
+            confidence: item.confidence,
+            summary: item.recommendation.summary,
+            recommendation: item.recommendation
+        })),
+        ...input.risks.map((item) => ({
+            kind: "risk",
+            name: item.name,
+            package: item.package,
+            priority: item.recommendation.priority,
+            confidence: item.confidence,
+            summary: item.recommendation.summary,
+            trustScore: item.trustScore,
+            recommendation: item.recommendation
+        }))
+    ];
+    return issues
+        .sort((left, right) => comparePriority(right.priority, left.priority) ||
+        compareTrustScore(right.trustScore, left.trustScore) ||
+        right.confidence - left.confidence)
+        .slice(0, 5);
+}
+function comparePriority(left, right) {
+    const rank = { high: 3, medium: 2, low: 1 };
+    return rank[left] - rank[right];
+}
+function compareTrustScore(left, right) {
+    const rank = { low: 3, medium: 2, high: 1, undefined: 0 };
+    return rank[left ?? "undefined"] - rank[right ?? "undefined"];
+}
 function normalizeConfidence(value) {
     if (typeof value !== "number" || Number.isNaN(value)) {
         return 0.5;
@@ -313,6 +449,36 @@ function normalizeStringArray(value) {
     }
     return value.filter((entry) => typeof entry === "string");
 }
+function normalizeTrustScore(value) {
+    return value === "high" || value === "medium" || value === "low"
+        ? value
+        : "medium";
+}
+function normalizeRiskFactors(value) {
+    if (!value || typeof value !== "object") {
+        return {
+            daysSincePublish: null,
+            downloads: null,
+            maintainersCount: null,
+            versionCount: null,
+            recentReleaseCount: null,
+            hasRepository: false,
+            dependencyType: "unknown"
+        };
+    }
+    const factors = value;
+    return {
+        daysSincePublish: typeof factors.daysSincePublish === "number" ? factors.daysSincePublish : null,
+        downloads: typeof factors.downloads === "number" ? factors.downloads : null,
+        maintainersCount: typeof factors.maintainersCount === "number" ? factors.maintainersCount : null,
+        versionCount: typeof factors.versionCount === "number" ? factors.versionCount : null,
+        recentReleaseCount: typeof factors.recentReleaseCount === "number" ? factors.recentReleaseCount : null,
+        hasRepository: factors.hasRepository === true,
+        dependencyType: factors.dependencyType === "dependencies" || factors.dependencyType === "devDependencies"
+            ? factors.dependencyType
+            : "unknown"
+    };
+}
 function buildScoreBreakdown(counts, config) {
     return {
         baseScore: 100,

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { analyzeProject } from "./core/analyzer.js";
-export type { AnalysisOptions, AnalysisResult, DuplicateDependency, OutdatedDependency, PolicyResult, PackageAnalysisResult, ScoreBreakdown, RiskDependency, UnusedDependency } from "./core/analyzer.js";
+export type { AnalysisOptions, AnalysisResult, DuplicateDependency, OutdatedDependency, PolicyResult, PackageAnalysisResult, Recommendation, ScoreBreakdown, RiskDependency, TopIssue, UnusedDependency } from "./core/analyzer.js";
 export { OUTPUT_VERSION } from "./core/analyzer.js";
 export type { AnalysisContext, CheckResult, Issue } from "./core/types.js";
 export type { DepBrainConfig, DepBrainConfigOverrides } from "./utils/config.js";

package/dist/reporters/console.js

@@ -1,5 +1,12 @@
 export function renderConsoleReport(result) {
     const lines = [];
+    if (result.topIssues.length > 0) {
+        lines.push("Top Issues:");
+        for (const item of result.topIssues) {
+            lines.push(`- [${item.priority.toUpperCase()}] ${item.kind} ${item.name}${item.package ? ` [${item.package}]` : ""}${item.trustScore ? ` | trust ${item.trustScore.toUpperCase()}` : ""} | confidence ${Math.round(item.confidence * 100)}% | ${item.summary}`);
+        }
+        lines.push("");
+    }
     lines.push(`Project Health: ${result.score}/100`);
     lines.push(`Path: ${result.rootDir}`);
     lines.push(`Policy: ${result.policy.passed ? "PASS" : "FAIL"}`);
@@ -16,16 +23,16 @@ export function renderConsoleReport(result) {
             lines.push(`- ${pkg.name}: ${pkg.score}/100, D:${pkg.duplicates.length} U:${pkg.unused.length} O:${pkg.outdated.length} R:${pkg.risks.length}`);
         }
     }
-    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}`, item.confidence, item.explanation)));
+    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Unused dependencies", result.unused.map((item) => formatEntry(item.package
         ? `${item.name} (${item.section}) [${item.package}]`
-        : `${item.name} (${item.section})`, item.confidence, item.explanation)));
+        : `${item.name} (${item.section})`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Outdated dependencies", result.outdated.map((item) => formatEntry(item.package
         ? `${item.name}: ${item.current} -> ${item.latest} [${item.updateType}] [${item.package}]`
-        : `${item.name}: ${item.current} -> ${item.latest} [${item.updateType}]`, item.confidence, item.explanation)));
+        : `${item.name}: ${item.current} -> ${item.latest} [${item.updateType}]`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Risky dependencies", result.risks.map((item) => formatEntry(item.package
-        ? `${item.name}: ${item.reasons.join("; ")} [${item.package}]`
-        : `${item.name}: ${item.reasons.join("; ")}`, item.confidence, item.explanation)));
+        ? `${item.name}: ${item.reasons.join("; ")} [${item.package}] [trust ${item.trustScore.toUpperCase()}]`
+        : `${item.name}: ${item.reasons.join("; ")} [trust ${item.trustScore.toUpperCase()}]`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Policy reasons", result.policy.reasons);
     if (result.suggestions.length > 0) {
         lines.push("");
@@ -50,7 +57,10 @@ function appendSection(lines, title, entries) {
         lines.push(`- ${entry}`);
     }
 }
-function formatEntry(label, confidence, explanation) {
+function formatEntry(label, confidence, explanation, recommendation) {
     const reasonSummary = explanation.length > 0 ? ` | why: ${explanation.join("; ")}` : "";
-    return `${label} | confidence ${Math.round(confidence * 100)}%${reasonSummary}`;
+    const recommendationSummary = recommendation
+        ? ` | next: ${recommendation.summary}`
+        : "";
+    return `${label} | confidence ${Math.round(confidence * 100)}%${recommendationSummary}${reasonSummary}`;
 }

package/dist/reporters/markdown.js

@@ -2,6 +2,13 @@ export function renderMarkdownReport(result) {
     const lines = [];
     lines.push(`# Dependency Brain Report`);
     lines.push("");
+    if (result.topIssues.length > 0) {
+        lines.push("## Top Issues");
+        for (const item of result.topIssues) {
+            lines.push(`- **${item.priority.toUpperCase()}** ${item.kind} \`${item.name}\`${item.package ? ` [${item.package}]` : ""}${item.trustScore ? ` | trust ${item.trustScore.toUpperCase()}` : ""} | confidence ${Math.round(item.confidence * 100)}% | ${item.summary}`);
+        }
+        lines.push("");
+    }
     lines.push(`- **Project Health:** ${result.score}/100`);
     lines.push(`- **Path:** ${result.rootDir}`);
     lines.push(`- **Policy:** ${result.policy.passed ? "PASS" : "FAIL"}`);
@@ -20,16 +27,16 @@ export function renderMarkdownReport(result) {
     lines.push(`- Outdated: ${result.outdated.length}`);
     lines.push(`- Risks: ${result.risks.length}`);
     lines.push("");
-    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}`, item.confidence, item.explanation)));
+    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Unused dependencies", result.unused.map((item) => formatEntry(item.package
         ? `${item.name} (${item.section}) [${item.package}]`
-        : `${item.name} (${item.section})`, item.confidence, item.explanation)));
+        : `${item.name} (${item.section})`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Outdated dependencies", result.outdated.map((item) => formatEntry(item.package
         ? `${item.name}: ${item.current} -> ${item.latest} [${item.updateType}] [${item.package}]`
-        : `${item.name}: ${item.current} -> ${item.latest} [${item.updateType}]`, item.confidence, item.explanation)));
+        : `${item.name}: ${item.current} -> ${item.latest} [${item.updateType}]`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Risky dependencies", result.risks.map((item) => formatEntry(item.package
-        ? `${item.name}: ${item.reasons.join("; ")} [${item.package}]`
-        : `${item.name}: ${item.reasons.join("; ")}`, item.confidence, item.explanation)));
+        ? `${item.name}: ${item.reasons.join("; ")} [${item.package}] [trust ${item.trustScore.toUpperCase()}]`
+        : `${item.name}: ${item.reasons.join("; ")} [trust ${item.trustScore.toUpperCase()}]`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Policy reasons", result.policy.reasons);
     if (result.suggestions.length > 0) {
         lines.push("## Suggestions");
@@ -50,7 +57,10 @@ function appendSection(lines, title, items) {
     }
     lines.push("");
 }
-function formatEntry(label, confidence, explanation) {
+function formatEntry(label, confidence, explanation, recommendation) {
     const reasonSummary = explanation.length > 0 ? ` | why: ${explanation.join("; ")}` : "";
-    return `${label} | confidence ${Math.round(confidence * 100)}%${reasonSummary}`;
+    const recommendationSummary = recommendation
+        ? ` | next: ${recommendation.summary}`
+        : "";
+    return `${label} | confidence ${Math.round(confidence * 100)}%${recommendationSummary}${reasonSummary}`;
 }

package/dist/utils/npm-api.d.ts

@@ -3,6 +3,9 @@ export interface PackageMetadata {
     repository: string | null;
     downloads: number | null;
     daysSincePublish: number | null;
+    maintainersCount: number | null;
+    versionCount: number | null;
+    recentReleaseCount: number | null;
 }
 export declare function getLatestVersion(name: string): Promise<string | null>;
 export declare function getPackageMetadata(name: string): Promise<PackageMetadata | null>;

package/dist/utils/npm-api.js

@@ -39,14 +39,35 @@ async function fetchPackageMetadata(name) {
         const repository = typeof packageJson.repository === "string"
             ? packageJson.repository
             : packageJson.repository?.url ?? null;
+        const maintainersCount = Array.isArray(packageJson.maintainers)
+            ? packageJson.maintainers.length
+            : null;
+        const versionCount = packageJson.versions
+            ? Object.keys(packageJson.versions).length
+            : null;
+        const recentReleaseCount = countRecentReleases(packageJson.time ?? {});
         return {
             latestVersion,
             repository,
             downloads: downloadsJson.downloads ?? null,
-            daysSincePublish
+            daysSincePublish,
+            maintainersCount,
+            versionCount,
+            recentReleaseCount
         };
     }
     catch {
         return null;
     }
 }
+function countRecentReleases(time) {
+    const values = Object.entries(time)
+        .filter(([key]) => key !== "created" && key !== "modified")
+        .map(([, value]) => new Date(value).getTime())
+        .filter((value) => Number.isFinite(value));
+    if (values.length === 0) {
+        return null;
+    }
+    const thirtyDaysAgo = Date.now() - 30 * 24 * 60 * 60 * 1000;
+    return values.filter((value) => value >= thirtyDaysAgo).length;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dep-brain",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "CLI and library for dependency health analysis",
   "type": "module",
   "main": "dist/index.js",