dep-brain 0.8.0 → 0.9.0

package/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 All notable changes to this project will be documented in this file.
 
-## Unreleased
+## 0.9.0
 
 - Workspace-aware analysis for npm workspaces.
 - Config loading and CI policy controls.
@@ -11,3 +11,5 @@ All notable changes to this project will be documented in this file.
 - Ranked top-issues summary output with `--top`.
 - Supply-chain trust scoring for risk findings.
 - Structured risk factors in JSON output.
+- Monorepo ownership summaries for workspace packages.
+- Workspace-level duplicate attribution and root-cause tracing.

package/README.md

@@ -75,6 +75,12 @@ dep-brain --version
 
 If the root `package.json` defines `workspaces`, `dep-brain` analyzes each workspace package and reports per-package results. Aggregated counts are still shown at the top-level summary.
 
+Workspace analysis now includes:
+
+- per-workspace ownership summaries
+- root-level duplicate attribution back to contributing workspaces
+- top issues that stay tagged to the workspace that should act
+
 ## Example Output
 
 ```text

package/depbrain.output.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "title": "Dependency Brain Analysis Output",
   "type": "object",
-  "required": ["outputVersion", "rootDir", "score", "scoreBreakdown", "policy", "duplicates", "unused", "outdated", "risks", "suggestions", "topIssues", "config"],
+  "required": ["outputVersion", "rootDir", "score", "scoreBreakdown", "policy", "ownershipSummary", "duplicates", "unused", "outdated", "risks", "suggestions", "topIssues", "config"],
   "additionalProperties": false,
   "properties": {
     "recommendation": {
@@ -31,6 +31,17 @@
         "dependencyType": { "type": "string", "enum": ["dependencies", "devDependencies", "unknown"] }
       }
     },
+    "ownershipSummary": {
+      "type": "object",
+      "required": ["duplicates", "unused", "outdated", "risks"],
+      "additionalProperties": false,
+      "properties": {
+        "duplicates": { "type": "number" },
+        "unused": { "type": "number" },
+        "outdated": { "type": "number" },
+        "risks": { "type": "number" }
+      }
+    },
     "outputVersion": { "type": "string" },
     "rootDir": { "type": "string" },
     "score": { "type": "number" },
@@ -66,15 +77,30 @@
         "reasons": { "type": "array", "items": { "type": "string" } }
       }
     },
+    "ownershipSummary": { "$ref": "#/properties/ownershipSummary" },
     "duplicates": {
       "type": "array",
       "items": {
         "type": "object",
-        "required": ["name", "versions", "instances", "confidence", "reasonCodes", "explanation", "recommendation"],
+        "required": ["name", "versions", "instances", "workspaceUsage", "rootCause", "confidence", "reasonCodes", "explanation", "recommendation"],
         "additionalProperties": false,
         "properties": {
           "name": { "type": "string" },
           "versions": { "type": "array", "items": { "type": "string" } },
+          "workspaceUsage": {
+            "type": "array",
+            "items": {
+              "type": "object",
+              "required": ["workspace", "section", "declaredVersion"],
+              "additionalProperties": false,
+              "properties": {
+                "workspace": { "type": "string" },
+                "section": { "type": "string", "enum": ["dependencies", "devDependencies"] },
+                "declaredVersion": { "type": "string" }
+              }
+            }
+          },
+          "rootCause": { "type": "array", "items": { "type": "string" } },
           "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
           "reasonCodes": { "type": "array", "items": { "type": "string" } },
           "explanation": { "type": "array", "items": { "type": "string" } },

package/dist/checks/duplicate.js

@@ -4,6 +4,8 @@ export async function findDuplicateDependencies(graph) {
         name,
         versions: Array.from(new Set(instances.map((instance) => instance.version))).sort(),
         instances,
+        workspaceUsage: [],
+        rootCause: [],
         confidence: 0.98,
         reasonCodes: [
             "multiple_lockfile_versions",

package/dist/core/analyzer.d.ts

@@ -8,6 +8,17 @@ export interface DuplicateInstance {
     path: string;
     version: string;
 }
+export interface WorkspaceDependencyUsage {
+    workspace: string;
+    section: "dependencies" | "devDependencies";
+    declaredVersion: string;
+}
+export interface WorkspaceOwnershipSummary {
+    duplicates: number;
+    unused: number;
+    outdated: number;
+    risks: number;
+}
 export interface Recommendation {
     action: "remove" | "consolidate" | "upgrade" | "review";
     priority: "high" | "medium" | "low";
@@ -29,6 +40,8 @@ export interface DuplicateDependency {
     name: string;
     versions: string[];
     instances: DuplicateInstance[];
+    workspaceUsage: WorkspaceDependencyUsage[];
+    rootCause: string[];
     confidence: number;
     reasonCodes: string[];
     explanation: string[];
@@ -81,6 +94,7 @@ export interface AnalysisResult {
     score: number;
     scoreBreakdown: ScoreBreakdown;
     policy: PolicyResult;
+    ownershipSummary: WorkspaceOwnershipSummary;
     duplicates: DuplicateDependency[];
     unused: UnusedDependency[];
     outdated: OutdatedDependency[];
@@ -100,6 +114,7 @@ export interface PackageAnalysisResult {
     score: number;
     scoreBreakdown: ScoreBreakdown;
     policy: PolicyResult;
+    ownershipSummary: WorkspaceOwnershipSummary;
     duplicates: DuplicateDependency[];
     unused: UnusedDependency[];
     outdated: OutdatedDependency[];
@@ -107,7 +122,7 @@ export interface PackageAnalysisResult {
     suggestions: string[];
     topIssues: TopIssue[];
 }
-export declare const OUTPUT_VERSION = "1.3";
+export declare const OUTPUT_VERSION = "1.4";
 export interface ScoreBreakdown {
     baseScore: number;
     duplicates: number;

package/dist/core/analyzer.js

@@ -8,7 +8,7 @@ import { findWorkspacePackages } from "../utils/workspaces.js";
 import { buildDependencyGraph } from "./graph-builder.js";
 import { calculateHealthScore } from "./scorer.js";
 import { buildAnalysisContext } from "./context.js";
-export const OUTPUT_VERSION = "1.3";
+export const OUTPUT_VERSION = "1.4";
 export async function analyzeProject(options = {}) {
     const rootDir = path.resolve(options.rootDir ?? process.cwd());
     const loadedConfig = await loadDepBrainConfig(rootDir, options.configPath);
@@ -28,6 +28,11 @@ export async function analyzeProject(options = {}) {
         });
         packages.push({ ...result, name: workspace.name });
     }
+    const workspaceGraphs = await Promise.all(workspaces.map(async (workspace) => ({
+        name: workspace.name,
+        graph: await buildDependencyGraph(workspace.rootDir)
+    })));
+    const attributedDuplicates = addWorkspaceAttribution(duplicates, workspaceGraphs);
     const unused = packages.flatMap((pkg) => pkg.unused.map((item) => ({ ...item, package: pkg.name })));
     const outdated = packages.flatMap((pkg) => pkg.outdated.map((item) => ({ ...item, package: pkg.name })));
     const risks = packages.flatMap((pkg) => pkg.risks.map((item) => ({ ...item, package: pkg.name })));
@@ -52,7 +57,7 @@ export async function analyzeProject(options = {}) {
     ].slice(0, config.report.maxSuggestions);
     const policy = evaluatePolicy({
         score,
-        duplicates: duplicates.length,
+        duplicates: attributedDuplicates.length,
         unused: unused.length,
         outdated: outdated.length,
         risks: risks.length
@@ -63,12 +68,23 @@ export async function analyzeProject(options = {}) {
         score,
         scoreBreakdown,
         policy,
-        duplicates,
+        ownershipSummary: buildOwnershipSummary({
+            duplicates: attributedDuplicates,
+            unused,
+            outdated,
+            risks
+        }),
+        duplicates: attributedDuplicates,
         unused,
         outdated,
         risks,
         suggestions,
-        topIssues: buildTopIssues({ duplicates, unused, outdated, risks }),
+        topIssues: buildTopIssues({
+            duplicates: attributedDuplicates,
+            unused,
+            outdated,
+            risks
+        }),
         config,
         packages
     };
@@ -182,6 +198,12 @@ async function analyzeSingleProject(rootDir, config, options = {}) {
         score,
         scoreBreakdown,
         policy,
+        ownershipSummary: buildOwnershipSummary({
+            duplicates,
+            unused: scopedUnused,
+            outdated: scopedOutdated,
+            risks: scopedRisks
+        }),
         duplicates,
         unused: scopedUnused,
         outdated: scopedOutdated,
@@ -272,6 +294,8 @@ function mapDuplicateIssues(issues) {
         instances: Array.isArray(issue.meta?.instances)
             ? issue.meta?.instances
             : [],
+        workspaceUsage: normalizeWorkspaceUsage(issue.meta?.workspaceUsage),
+        rootCause: normalizeStringArray(issue.meta?.rootCause),
         confidence: normalizeConfidence(issue.confidence),
         reasonCodes: normalizeStringArray(issue.reasonCodes),
         explanation: normalizeStringArray(issue.explanation),
@@ -437,6 +461,42 @@ function compareTrustScore(left, right) {
     const rank = { low: 3, medium: 2, high: 1, undefined: 0 };
     return rank[left ?? "undefined"] - rank[right ?? "undefined"];
 }
+function addWorkspaceAttribution(duplicates, workspaceGraphs) {
+    return duplicates.map((item) => {
+        const usage = [];
+        for (const workspace of workspaceGraphs) {
+            const runtimeVersion = workspace.graph.dependencies[item.name];
+            if (runtimeVersion) {
+                usage.push({
+                    workspace: workspace.name,
+                    section: "dependencies",
+                    declaredVersion: runtimeVersion
+                });
+            }
+            const devVersion = workspace.graph.devDependencies[item.name];
+            if (devVersion) {
+                usage.push({
+                    workspace: workspace.name,
+                    section: "devDependencies",
+                    declaredVersion: devVersion
+                });
+            }
+        }
+        return {
+            ...item,
+            workspaceUsage: usage,
+            rootCause: usage.map((entry) => `${entry.workspace} -> ${item.name}@${entry.declaredVersion}`)
+        };
+    });
+}
+function buildOwnershipSummary(input) {
+    return {
+        duplicates: input.duplicates.length,
+        unused: input.unused.length,
+        outdated: input.outdated.length,
+        risks: input.risks.length
+    };
+}
 function normalizeConfidence(value) {
     if (typeof value !== "number" || Number.isNaN(value)) {
         return 0.5;
@@ -479,6 +539,29 @@ function normalizeRiskFactors(value) {
             : "unknown"
     };
 }
+function normalizeWorkspaceUsage(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value
+        .map((entry) => {
+        if (!entry || typeof entry !== "object") {
+            return null;
+        }
+        const usage = entry;
+        if (typeof usage.workspace !== "string" ||
+            typeof usage.declaredVersion !== "string" ||
+            (usage.section !== "dependencies" && usage.section !== "devDependencies")) {
+            return null;
+        }
+        return {
+            workspace: usage.workspace,
+            section: usage.section,
+            declaredVersion: usage.declaredVersion
+        };
+    })
+        .filter((entry) => entry !== null);
+}
 function buildScoreBreakdown(counts, config) {
     return {
         baseScore: 100,

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { analyzeProject } from "./core/analyzer.js";
-export type { AnalysisOptions, AnalysisResult, DuplicateDependency, OutdatedDependency, PolicyResult, PackageAnalysisResult, Recommendation, ScoreBreakdown, RiskDependency, TopIssue, UnusedDependency } from "./core/analyzer.js";
+export type { AnalysisOptions, AnalysisResult, DuplicateDependency, OutdatedDependency, PolicyResult, PackageAnalysisResult, Recommendation, RiskFactors, ScoreBreakdown, RiskDependency, TopIssue, TrustScore, UnusedDependency, WorkspaceDependencyUsage, WorkspaceOwnershipSummary } from "./core/analyzer.js";
 export { OUTPUT_VERSION } from "./core/analyzer.js";
 export type { AnalysisContext, CheckResult, Issue } from "./core/types.js";
 export type { DepBrainConfig, DepBrainConfigOverrides } from "./utils/config.js";

package/dist/reporters/console.js

@@ -20,10 +20,10 @@ export function renderConsoleReport(result) {
         lines.push("");
         lines.push("Packages:");
         for (const pkg of result.packages) {
-            lines.push(`- ${pkg.name}: ${pkg.score}/100, D:${pkg.duplicates.length} U:${pkg.unused.length} O:${pkg.outdated.length} R:${pkg.risks.length}`);
+            lines.push(`- ${pkg.name}: ${pkg.score}/100, D:${pkg.ownershipSummary.duplicates} U:${pkg.ownershipSummary.unused} O:${pkg.ownershipSummary.outdated} R:${pkg.ownershipSummary.risks}`);
         }
     }
-    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}`, item.confidence, item.explanation, item.recommendation)));
+    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}${item.rootCause.length > 0 ? ` | via ${item.rootCause.join("; ")}` : ""}`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Unused dependencies", result.unused.map((item) => formatEntry(item.package
         ? `${item.name} (${item.section}) [${item.package}]`
         : `${item.name} (${item.section})`, item.confidence, item.explanation, item.recommendation)));

package/dist/reporters/markdown.js

@@ -17,7 +17,7 @@ export function renderMarkdownReport(result) {
     if (result.packages && result.packages.length > 0) {
         lines.push("## Packages");
         for (const pkg of result.packages) {
-            lines.push(`- ${pkg.name}: ${pkg.score}/100 (D:${pkg.duplicates.length} U:${pkg.unused.length} O:${pkg.outdated.length} R:${pkg.risks.length})`);
+            lines.push(`- ${pkg.name}: ${pkg.score}/100 (D:${pkg.ownershipSummary.duplicates} U:${pkg.ownershipSummary.unused} O:${pkg.ownershipSummary.outdated} R:${pkg.ownershipSummary.risks})`);
         }
         lines.push("");
     }
@@ -27,7 +27,7 @@ export function renderMarkdownReport(result) {
     lines.push(`- Outdated: ${result.outdated.length}`);
     lines.push(`- Risks: ${result.risks.length}`);
     lines.push("");
-    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}`, item.confidence, item.explanation, item.recommendation)));
+    appendSection(lines, "Duplicate dependencies", result.duplicates.map((item) => formatEntry(`${item.name}: ${item.versions.join(", ")}${item.rootCause.length > 0 ? ` | via ${item.rootCause.join("; ")}` : ""}`, item.confidence, item.explanation, item.recommendation)));
     appendSection(lines, "Unused dependencies", result.unused.map((item) => formatEntry(item.package
         ? `${item.name} (${item.section}) [${item.package}]`
         : `${item.name} (${item.section})`, item.confidence, item.explanation, item.recommendation)));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dep-brain",
-  "version": "0.8.0",
+  "version": "0.9.0",
   "description": "CLI and library for dependency health analysis",
   "type": "module",
   "main": "dist/index.js",