dep-brain 1.2.0 → 1.4.0

package/CHANGELOG.md

@@ -2,6 +2,30 @@
 
 All notable changes to this project will be documented in this file.
 
+## 1.4.0
+
+- Added lockfile dependency-edge parsing so transitive relationships are available from npm, pnpm, and yarn lockfiles.
+- Changed risk analysis from direct-package-only output to direct-owner risk summaries with `transitiveRiskScore` and `riskyTransitiveDeps`.
+- Added transitive dependency counts and risky transitive counts to `riskFactors`.
+- Updated console, markdown, and dashboard reports to highlight transitive risk hotspots.
+- Bumped analysis output contract to `1.5` and added regression coverage for transitive risk propagation.
+
+## 1.3.0
+
+- Added plugin diagnostics under `extensions.depBrain.plugins` for failed plugin loads and hook errors.
+- Added built-in `license` plugin through `plugins.enabled: ["license"]`.
+- Added configurable risk thresholds for stale release days, aging release days, low downloads, and trust score weights.
+- Added `--dashboard` and `--dashboard-out` for static HTML dashboard generation.
+- Updated starter config, schemas, README, and tests for v1.3 behavior.
+
+## 1.2.0
+
+- Added `PluginManager` with `preScan`, `postScan`, and `reportHook` lifecycle support.
+- Added disabled-by-default plugin config through `plugins.enabled` and `plugins.paths`.
+- Added `extensions` to analysis output so plugins can enrich results without breaking schema.
+- Added future config slots for risk thresholds, dashboard output, and notification webhook env names.
+- Added regression coverage for plugin hooks enriching `extensions`.
+
 ## 1.1.0
 
 - Added `--focus` modes for targeted duplicate, unused, outdated, risk, and health analysis.

package/README.md

@@ -21,9 +21,10 @@
 - Detect likely unused dependencies from source imports and scripts
 - Detect outdated packages
 - Highlight dependency risk signals
+- Show which direct dependency introduces risky transitive packages
 - Score package trust using supply-chain metadata
 - Generate a simple project health score
-- Output reports in console, JSON, Markdown, SARIF, and top-issues formats
+- Output reports in console, JSON, Markdown, SARIF, dashboard, and top-issues formats
 - Gate CI with score and finding policies
 - Compare new findings against a baseline report
 
@@ -39,6 +40,7 @@ The long-term goal is not just to list problems, but to answer:
 - Unused dependency detection with runtime vs dev-tool heuristics
 - Outdated dependency reporting with `major`, `minor`, and `patch` classification
 - Risk analysis based on npm package metadata
+- Transitive risk ownership and path tracing for direct dependencies
 - Confidence scores, reason codes, explanations, and recommendations for findings
 - Config loading from `depbrain.config.json`
 - Ignore rules for noisy dependencies and checks
@@ -48,12 +50,14 @@ The long-term goal is not just to list problems, but to answer:
 - JSON output via `--json`
 - Markdown output via `--md`
 - SARIF output via `--sarif`
+- Static HTML dashboard via `--dashboard`
 - Ranked top issues via `--top`
 - Baseline mode via `--baseline`
 - Focused analysis via `--focus`
 - Low-noise CI defaults via `--ci`
 - Starter config generation via `dep-brain init`
 - Reusable GitHub Action via `action.yml`
+- Built-in `license` plugin and plugin diagnostics
 - Library entrypoint for programmatic use
 
 ## CLI Usage
@@ -73,6 +77,8 @@ npx dep-brain analyze ./path-to-project --fail-on-unused --json
 npx dep-brain analyze --md > depbrain.md
 npx dep-brain analyze --json --out depbrain.json
 npx dep-brain analyze --sarif --out depbrain.sarif
+npx dep-brain analyze --dashboard
+npx dep-brain analyze --dashboard --dashboard-out reports/depbrain.html
 npx dep-brain analyze --focus duplicates
 npx dep-brain analyze --ci
 npx dep-brain analyze --baseline depbrain-baseline.json
@@ -176,6 +182,28 @@ dep-brain analyze --top
 
 Shows the highest-priority actionable findings first, including confidence and next-step guidance.
 
+## Dashboard Output
+
+```bash
+dep-brain analyze --dashboard
+dep-brain analyze --dashboard --dashboard-out reports/depbrain.html
+```
+
+Writes a static HTML dashboard. Default path comes from `dashboard.outputPath`.
+
+## Plugins
+
+```json
+{
+  "plugins": {
+    "enabled": ["license"],
+    "paths": ["./depbrain-plugin.mjs"]
+  }
+}
+```
+
+Built-in `license` plugin adds license counts under `extensions.license`. Failed plugin loads and hook errors are reported under `extensions.depBrain.plugins`.
+
 ## Report From JSON
 
 ```bash
@@ -194,30 +222,6 @@ dep-brain analyze --baseline depbrain-baseline.json --min-score 90 --fail-on-ris
 
 The baseline file is a normal JSON analysis report. Matching entries in `duplicates`, `unused`, `outdated`, and `risks` are ignored before score, policy, suggestions, and top issues are calculated.
 
-## GitHub Action
-
-```yaml
-name: Dependency Brain
-
-on:
-  pull_request:
-
-jobs:
-  dep-brain:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-      - uses: prakashu51/dep-brain@v1
-        with:
-          format: sarif
-          out: depbrain.sarif
-          min-score: 85
-          fail-on-risks: "true"
-```
-
 ## Config File
 
 Create a `depbrain.config.json` file in the project root:
@@ -239,12 +243,17 @@ Create a `depbrain.config.json` file in the project root:
     "maxSuggestions": 3
   },
   "plugins": {
-    "enabled": [],
+    "enabled": ["license"],
     "paths": []
   },
   "risk": {
     "transitiveBloatThreshold": 50,
-    "typosquattingDistanceThreshold": 2
+    "typosquattingDistanceThreshold": 2,
+    "staleReleaseDays": 730,
+    "agingReleaseDays": 365,
+    "lowDownloadThreshold": 1000,
+    "lowTrustWeightThreshold": 6,
+    "mediumTrustWeightThreshold": 3
   },
   "dashboard": {
     "outputPath": "depbrain-dashboard.html"
@@ -283,6 +292,11 @@ Supported sections:
 - `plugins.paths`
 - `risk.transitiveBloatThreshold`
 - `risk.typosquattingDistanceThreshold`
+- `risk.staleReleaseDays`
+- `risk.agingReleaseDays`
+- `risk.lowDownloadThreshold`
+- `risk.lowTrustWeightThreshold`
+- `risk.mediumTrustWeightThreshold`
 - `dashboard.outputPath`
 - `notifications.slackWebhookEnv`
 - `notifications.discordWebhookEnv`
@@ -367,7 +381,7 @@ src/
 
 The project should optimize for trust, clarity, and actionability over flashy UI, generic graphs, or simply adding more checks.
 
-Risk findings now include a `trustScore` plus structured `riskFactors` such as publish recency, maintainer count, and repository presence.
+Risk findings now include a `trustScore`, structured `riskFactors`, `transitiveRiskScore`, and `riskyTransitiveDeps` path traces so teams can see which direct package introduces supply-chain risk.
 
 ## Repository Notes
 

package/depbrain.config.json

@@ -25,7 +25,12 @@
   },
   "risk": {
     "transitiveBloatThreshold": 50,
-    "typosquattingDistanceThreshold": 2
+    "typosquattingDistanceThreshold": 2,
+    "staleReleaseDays": 730,
+    "agingReleaseDays": 365,
+    "lowDownloadThreshold": 1000,
+    "lowTrustWeightThreshold": 6,
+    "mediumTrustWeightThreshold": 3
   },
   "dashboard": {
     "outputPath": "depbrain-dashboard.html"

package/depbrain.config.schema.json

@@ -49,7 +49,12 @@
       "additionalProperties": false,
       "properties": {
         "transitiveBloatThreshold": { "type": "number" },
-        "typosquattingDistanceThreshold": { "type": "number" }
+        "typosquattingDistanceThreshold": { "type": "number" },
+        "staleReleaseDays": { "type": "number" },
+        "agingReleaseDays": { "type": "number" },
+        "lowDownloadThreshold": { "type": "number" },
+        "lowTrustWeightThreshold": { "type": "number" },
+        "mediumTrustWeightThreshold": { "type": "number" }
       }
     },
     "dashboard": {

package/depbrain.output.schema.json

@@ -19,7 +19,7 @@
     },
     "riskFactors": {
       "type": "object",
-      "required": ["daysSincePublish", "downloads", "maintainersCount", "versionCount", "recentReleaseCount", "hasRepository", "dependencyType"],
+      "required": ["daysSincePublish", "downloads", "maintainersCount", "versionCount", "recentReleaseCount", "hasRepository", "dependencyType", "transitiveDependencyCount", "riskyTransitiveCount"],
       "additionalProperties": false,
       "properties": {
         "daysSincePublish": { "type": ["number", "null"] },
@@ -28,7 +28,21 @@
         "versionCount": { "type": ["number", "null"] },
         "recentReleaseCount": { "type": ["number", "null"] },
         "hasRepository": { "type": "boolean" },
-        "dependencyType": { "type": "string", "enum": ["dependencies", "devDependencies", "unknown"] }
+        "dependencyType": { "type": "string", "enum": ["dependencies", "devDependencies", "unknown"] },
+        "transitiveDependencyCount": { "type": "number" },
+        "riskyTransitiveCount": { "type": "number" }
+      }
+    },
+    "riskTransitiveDependency": {
+      "type": "object",
+      "required": ["name", "trustScore", "confidence", "reasons", "introducedByPaths"],
+      "additionalProperties": false,
+      "properties": {
+        "name": { "type": "string" },
+        "trustScore": { "type": "string", "enum": ["high", "medium", "low"] },
+        "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
+        "reasons": { "type": "array", "items": { "type": "string" } },
+        "introducedByPaths": { "type": "array", "items": { "type": "string" } }
       }
     },
     "ownershipSummary": {
@@ -159,7 +173,7 @@
       "type": "array",
       "items": {
         "type": "object",
-        "required": ["name", "reasons", "confidence", "reasonCodes", "explanation", "trustScore", "riskFactors", "recommendation"],
+        "required": ["name", "reasons", "confidence", "reasonCodes", "explanation", "trustScore", "riskFactors", "transitiveRiskScore", "riskyTransitiveDeps", "recommendation"],
         "additionalProperties": false,
         "properties": {
           "name": { "type": "string" },
@@ -170,6 +184,11 @@
           "explanation": { "type": "array", "items": { "type": "string" } },
           "trustScore": { "type": "string", "enum": ["high", "medium", "low"] },
           "riskFactors": { "$ref": "#/properties/riskFactors" },
+          "transitiveRiskScore": { "type": "number" },
+          "riskyTransitiveDeps": {
+            "type": "array",
+            "items": { "$ref": "#/properties/riskTransitiveDependency" }
+          },
           "recommendation": { "$ref": "#/properties/recommendation" }
         }
       }

package/dist/checks/risk.d.ts

@@ -2,8 +2,10 @@ import type { DependencyGraph } from "../core/graph-builder.js";
 import type { RiskDependency } from "../core/analyzer.js";
 import type { CheckResult } from "../core/types.js";
 import { type PackageMetadata } from "../utils/npm-api.js";
+import type { DepBrainConfig } from "../utils/config.js";
 export interface RiskCheckOptions {
     resolvePackageMetadata?: (name: string) => Promise<PackageMetadata | null>;
+    thresholds?: DepBrainConfig["risk"];
 }
 export declare function findRiskDependencies(graph: DependencyGraph, options?: RiskCheckOptions): Promise<RiskDependency[]>;
-export declare function runRiskCheck(graph: DependencyGraph): Promise<CheckResult>;
+export declare function runRiskCheck(graph: DependencyGraph, options?: RiskCheckOptions): Promise<CheckResult>;

package/dist/checks/risk.js

@@ -1,13 +1,14 @@
 import { getPackageMetadata } from "../utils/npm-api.js";
-const TWO_YEARS_IN_DAYS = 365 * 2;
-const ONE_YEAR_IN_DAYS = 365;
 export async function findRiskDependencies(graph, options = {}) {
     const resolvePackageMetadata = options.resolvePackageMetadata ?? getPackageMetadata;
-    const names = Object.keys({
+    const thresholds = options.thresholds;
+    const allNames = Object.keys({
         ...graph.dependencies,
-        ...graph.devDependencies
+        ...graph.devDependencies,
+        ...(graph.lockPackages ?? {})
     });
-    const results = await mapWithConcurrency(names, 8, async (name) => {
+    const assessments = new Map();
+    const results = await mapWithConcurrency(allNames, 8, async (name) => {
         const metadata = await resolvePackageMetadata(name);
         if (!metadata) {
             return null;
@@ -17,24 +18,25 @@ export async function findRiskDependencies(graph, options = {}) {
             : graph.devDependencies[name]
                 ? "devDependencies"
                 : "unknown";
-        const assessment = assessRisk(metadata, dependencyType);
-        if (!shouldReportRisk(assessment.trustScore, dependencyType)) {
-            return null;
-        }
+        const assessment = assessRisk(metadata, dependencyType, thresholds, 0);
         return {
             name,
-            reasons: assessment.reasons,
-            confidence: assessment.confidence,
-            reasonCodes: assessment.reasonCodes,
-            explanation: assessment.reasons,
-            trustScore: assessment.trustScore,
-            riskFactors: assessment.riskFactors,
-            recommendation: buildRiskRecommendation(assessment.reasons, assessment.confidence, assessment.trustScore)
+            assessment
         };
     });
-    return results
-        .filter((item) => item !== null)
-        .sort((left, right) => left.name.localeCompare(right.name));
+    for (const result of results) {
+        if (result) {
+            assessments.set(result.name, result.assessment);
+        }
+    }
+    const directNames = Object.keys({
+        ...graph.dependencies,
+        ...graph.devDependencies
+    }).sort((left, right) => left.localeCompare(right));
+    const risks = directNames
+        .map((name) => buildDirectRiskEntry(name, graph, assessments, thresholds))
+        .filter((item) => item !== null);
+    return risks.sort((left, right) => left.name.localeCompare(right.name));
 }
 async function mapWithConcurrency(items, limit, mapper) {
     const results = new Array(items.length);
@@ -50,8 +52,8 @@ async function mapWithConcurrency(items, limit, mapper) {
     await Promise.all(workers);
     return results;
 }
-export async function runRiskCheck(graph) {
-    const risks = await findRiskDependencies(graph);
+export async function runRiskCheck(graph, options = {}) {
+    const risks = await findRiskDependencies(graph, options);
     return {
         name: "risk",
         summary: `${risks.length} risky dependencies found`,
@@ -70,27 +72,140 @@ export async function runRiskCheck(graph) {
                 name: item.name,
                 reasons: item.reasons,
                 trustScore: item.trustScore,
-                riskFactors: item.riskFactors
+                riskFactors: item.riskFactors,
+                transitiveRiskScore: item.transitiveRiskScore,
+                riskyTransitiveDeps: item.riskyTransitiveDeps
+            }
+        }))
+    };
+}
+function buildDirectRiskEntry(name, graph, assessments, thresholds) {
+    const dependencyType = graph.dependencies[name]
+        ? "dependencies"
+        : graph.devDependencies[name]
+            ? "devDependencies"
+            : "unknown";
+    const selfAssessment = assessments.get(name) ?? buildUnknownAssessment(name, dependencyType);
+    const transitive = collectTransitiveRisks(name, graph, assessments);
+    const reasonCodes = [...selfAssessment.reasonCodes];
+    const reasons = [...selfAssessment.reasons];
+    const explanation = [...selfAssessment.reasons];
+    if (transitive.riskyTransitiveDeps.length > 0) {
+        reasons.push(`Introduces ${transitive.riskyTransitiveDeps.length} risky transitive dependenc${transitive.riskyTransitiveDeps.length === 1 ? "y" : "ies"}`);
+        reasonCodes.push("risky_transitive_dependencies");
+        explanation.push(`Transitive paths: ${transitive.riskyTransitiveDeps
+            .flatMap((item) => item.introducedByPaths)
+            .slice(0, 3)
+            .join("; ")}`);
+    }
+    if (transitive.transitiveDependencyCount > (thresholds?.transitiveBloatThreshold ?? 50)) {
+        reasons.push("Large transitive dependency tree");
+        reasonCodes.push("dependency_bloat");
+        explanation.push(`${name} introduces ${transitive.transitiveDependencyCount} transitive dependencies.`);
+    }
+    const transitiveRiskScore = transitive.riskyTransitiveDeps.reduce((total, item) => total + trustScoreWeight(item.trustScore), 0);
+    const combinedConfidence = Math.min(0.99, Math.max(selfAssessment.confidence, transitive.riskyTransitiveDeps.reduce((maxConfidence, item) => Math.max(maxConfidence, item.confidence), 0.5)));
+    const trustScore = combineTrustScores(selfAssessment.trustScore, transitive.highestTrustScore);
+    const shouldReport = shouldReportRisk(selfAssessment.trustScore, dependencyType) ||
+        transitive.riskyTransitiveDeps.length > 0 ||
+        transitive.transitiveDependencyCount > (thresholds?.transitiveBloatThreshold ?? 50);
+    if (!shouldReport || reasons.length === 0) {
+        return null;
+    }
+    return {
+        name,
+        reasons,
+        confidence: combinedConfidence,
+        reasonCodes: dedupeStrings(reasonCodes),
+        explanation: dedupeStrings(explanation),
+        trustScore,
+        riskFactors: {
+            ...selfAssessment.riskFactors,
+            dependencyType,
+            transitiveDependencyCount: transitive.transitiveDependencyCount,
+            riskyTransitiveCount: transitive.riskyTransitiveDeps.length
+        },
+        transitiveRiskScore,
+        riskyTransitiveDeps: transitive.riskyTransitiveDeps,
+        recommendation: buildRiskRecommendation(reasons, combinedConfidence, trustScore, transitive.riskyTransitiveDeps.length)
+    };
+}
+function collectTransitiveRisks(directName, graph, assessments) {
+    const visited = new Set();
+    const queue = (graph.lockDependencies?.[directName] ?? []).map((name) => ({
+        name,
+        path: [directName, name]
+    }));
+    const riskyByName = new Map();
+    let highestTrustScore = "high";
+    while (queue.length > 0) {
+        const current = queue.shift();
+        if (!current || visited.has(current.name)) {
+            continue;
+        }
+        visited.add(current.name);
+        const assessment = assessments.get(current.name);
+        if (assessment && shouldReportRisk(assessment.trustScore, assessment.riskFactors.dependencyType)) {
+            highestTrustScore = combineTrustScores(highestTrustScore, assessment.trustScore);
+            const existing = riskyByName.get(current.name);
+            const pathTrace = current.path.join(" -> ");
+            if (existing) {
+                existing.introducedByPaths.push(pathTrace);
+            }
+            else {
+                riskyByName.set(current.name, {
+                    name: current.name,
+                    trustScore: assessment.trustScore,
+                    confidence: assessment.confidence,
+                    reasons: assessment.reasons,
+                    introducedByPaths: [pathTrace]
+                });
             }
+        }
+        const nextDependencies = graph.lockDependencies?.[current.name] ?? [];
+        for (const dependency of nextDependencies) {
+            if (!visited.has(dependency)) {
+                queue.push({
+                    name: dependency,
+                    path: [...current.path, dependency]
+                });
+            }
+        }
+    }
+    return {
+        transitiveDependencyCount: visited.size,
+        riskyTransitiveDeps: Array.from(riskyByName.values())
+            .map((item) => ({
+            ...item,
+            introducedByPaths: dedupeStrings(item.introducedByPaths).slice(0, 3)
         }))
+            .sort((left, right) => trustScoreWeight(right.trustScore) - trustScoreWeight(left.trustScore) ||
+            right.confidence - left.confidence ||
+            left.name.localeCompare(right.name)),
+        highestTrustScore
     };
 }
-function assessRisk(metadata, dependencyType) {
+function assessRisk(metadata, dependencyType, thresholds, transitiveDependencyCount) {
     const reasons = [];
     const reasonCodes = [];
     let weight = 0;
-    if (metadata.daysSincePublish !== null && metadata.daysSincePublish > TWO_YEARS_IN_DAYS) {
-        reasons.push("No release in over 2 years");
+    const staleReleaseDays = thresholds?.staleReleaseDays ?? 730;
+    const agingReleaseDays = thresholds?.agingReleaseDays ?? 365;
+    const lowDownloadThreshold = thresholds?.lowDownloadThreshold ?? 1000;
+    const lowTrustWeightThreshold = thresholds?.lowTrustWeightThreshold ?? 6;
+    const mediumTrustWeightThreshold = thresholds?.mediumTrustWeightThreshold ?? 3;
+    if (metadata.daysSincePublish !== null && metadata.daysSincePublish > staleReleaseDays) {
+        reasons.push(`No release in over ${formatDays(staleReleaseDays)}`);
         reasonCodes.push("stale_release");
         weight += 3;
     }
     else if (metadata.daysSincePublish !== null &&
-        metadata.daysSincePublish > ONE_YEAR_IN_DAYS) {
-        reasons.push("No release in over 12 months");
+        metadata.daysSincePublish > agingReleaseDays) {
+        reasons.push(`No release in over ${formatDays(agingReleaseDays)}`);
         reasonCodes.push("aging_release");
         weight += 2;
     }
-    if (metadata.downloads !== null && metadata.downloads < 1000) {
+    if (metadata.downloads !== null && metadata.downloads < lowDownloadThreshold) {
         reasons.push("Low weekly download volume");
         reasonCodes.push("low_download_volume");
         weight += 2;
@@ -118,8 +233,13 @@ function assessRisk(metadata, dependencyType) {
         weight += 1;
     }
     const confidence = reasons.length === 0 ? 0.5 : Math.min(0.99, 0.52 + weight * 0.07);
-    const trustScore = weight >= 6 ? "low" : weight >= 3 ? "medium" : "high";
+    const trustScore = weight >= lowTrustWeightThreshold
+        ? "low"
+        : weight >= mediumTrustWeightThreshold
+            ? "medium"
+            : "high";
     return {
+        name: "",
         confidence,
         trustScore,
         reasons,
@@ -131,10 +251,41 @@ function assessRisk(metadata, dependencyType) {
             versionCount: metadata.versionCount,
             recentReleaseCount: metadata.recentReleaseCount,
             hasRepository: Boolean(metadata.repository),
-            dependencyType
+            dependencyType,
+            transitiveDependencyCount,
+            riskyTransitiveCount: 0
+        }
+    };
+}
+function buildUnknownAssessment(name, dependencyType) {
+    return {
+        name,
+        confidence: 0.5,
+        trustScore: "high",
+        reasons: [],
+        reasonCodes: [],
+        riskFactors: {
+            daysSincePublish: null,
+            downloads: null,
+            maintainersCount: null,
+            versionCount: null,
+            recentReleaseCount: null,
+            hasRepository: false,
+            dependencyType,
+            transitiveDependencyCount: 0,
+            riskyTransitiveCount: 0
         }
     };
 }
+function formatDays(days) {
+    if (days === 730) {
+        return "2 years";
+    }
+    if (days === 365) {
+        return "12 months";
+    }
+    return `${days} days`;
+}
 function shouldReportRisk(trustScore, dependencyType) {
     if (trustScore === "high") {
         return false;
@@ -144,14 +295,33 @@ function shouldReportRisk(trustScore, dependencyType) {
     }
     return true;
 }
-function buildRiskRecommendation(reasons, confidence, trustScore) {
+function buildRiskRecommendation(reasons, confidence, trustScore, riskyTransitiveCount) {
     return {
         action: "review",
-        priority: trustScore === "low" || confidence >= 0.8 ? "high" : "medium",
+        priority: trustScore === "low" || confidence >= 0.8 || riskyTransitiveCount >= 2
+            ? "high"
+            : "medium",
         safety: "caution",
-        summary: trustScore === "low"
-            ? "Low trust package; review whether to replace, pin, or monitor it closely."
-            : "Review package trust signals and decide whether to keep, replace, or monitor it.",
+        summary: riskyTransitiveCount > 0
+            ? `Review this direct dependency and its transitive chain before upgrading or keeping it.`
+            : trustScore === "low"
+                ? "Low trust package; review whether to replace, pin, or monitor it closely."
+                : "Review package trust signals and decide whether to keep, replace, or monitor it.",
         reasons
     };
 }
+function trustScoreWeight(value) {
+    if (value === "low") {
+        return 3;
+    }
+    if (value === "medium") {
+        return 2;
+    }
+    return 1;
+}
+function combineTrustScores(left, right) {
+    return trustScoreWeight(left) >= trustScoreWeight(right) ? left : right;
+}
+function dedupeStrings(values) {
+    return Array.from(new Set(values));
+}

package/dist/cli.js

@@ -4,6 +4,7 @@ import { renderConsoleReport } from "./reporters/console.js";
 import { renderJsonReport } from "./reporters/json.js";
 import { renderMarkdownReport } from "./reporters/markdown.js";
 import { renderSarifReport } from "./reporters/sarif.js";
+import { renderDashboardReport } from "./reporters/dashboard.js";
 import { defaultConfig } from "./utils/config.js";
 import { promises as fs } from "node:fs";
 import path from "node:path";
@@ -59,7 +60,9 @@ async function main() {
                         ? JSON.stringify(reportData, null, 2)
                         : flags.has("--sarif")
                             ? renderSarifReport(reportData)
-                            : renderMarkdownReport(reportData);
+                            : flags.has("--dashboard")
+                                ? renderDashboardReport(reportData)
+                                : renderMarkdownReport(reportData);
                 await writeOutput(output, optionValues.get("--out"));
                 return;
             }
@@ -149,6 +152,9 @@ async function main() {
                     : consoleOutput;
         }
         await writeOutput(output, optionValues.get("--out"));
+        if (flags.has("--dashboard")) {
+            await writeOutput(renderDashboardReport(result), optionValues.get("--dashboard-out") ?? result.config.dashboard.outputPath);
+        }
         if (!result.policy.passed) {
             process.exitCode = 1;
         }
@@ -209,8 +215,8 @@ function printHelp() {
     console.log("Dependency Brain");
     console.log("");
     console.log("Usage:");
-    console.log("  dep-brain analyze [path] [--json] [--md] [--sarif] [--top] [--focus kind] [--ci] [--out path] [--config path] [--baseline path] [--min-score n] [--fail-on-risks]");
-    console.log("  dep-brain report --from <file> [--md] [--json] [--sarif] [--top] [--out path]");
+    console.log("  dep-brain analyze [path] [--json] [--md] [--sarif] [--top] [--dashboard] [--focus kind] [--ci] [--out path] [--config path] [--baseline path] [--min-score n] [--fail-on-risks]");
+    console.log("  dep-brain report --from <file> [--md] [--json] [--sarif] [--top] [--dashboard] [--out path]");
     console.log("  dep-brain config [path] [--config path]");
     console.log("  dep-brain init [--out depbrain.config.json]");
     console.log("  dep-brain help");
@@ -221,6 +227,8 @@ function printHelp() {
     console.log("  --md                Output Markdown report");
     console.log("  --sarif             Output SARIF format for Code Scanning");
     console.log("  --top               Output the ranked top issues only");
+    console.log("  --dashboard         Write an HTML dashboard");
+    console.log("  --dashboard-out <path> Write dashboard HTML to a custom path");
     console.log("  --focus <kind>      Run all, health, duplicates, unused, outdated, or risks");
     console.log("  --ci                Apply low-noise CI defaults");
     console.log("  --config <path>     Path to depbrain.config.json");

package/dist/core/analyzer.d.ts

@@ -43,8 +43,17 @@ export interface RiskFactors {
     recentReleaseCount: number | null;
     hasRepository: boolean;
     dependencyType: "dependencies" | "devDependencies" | "unknown";
+    transitiveDependencyCount: number;
+    riskyTransitiveCount: number;
 }
 export type TrustScore = "high" | "medium" | "low";
+export interface RiskTransitiveDependency {
+    name: string;
+    trustScore: TrustScore;
+    confidence: number;
+    reasons: string[];
+    introducedByPaths: string[];
+}
 export interface DuplicateDependency {
     name: string;
     versions: string[];
@@ -85,6 +94,8 @@ export interface RiskDependency {
     explanation: string[];
     trustScore: TrustScore;
     riskFactors: RiskFactors;
+    transitiveRiskScore: number;
+    riskyTransitiveDeps: RiskTransitiveDependency[];
     recommendation: Recommendation;
 }
 export interface TopIssue {
@@ -133,7 +144,7 @@ export interface PackageAnalysisResult {
     topIssues: TopIssue[];
     extensions: Record<string, unknown>;
 }
-export declare const OUTPUT_VERSION = "1.4";
+export declare const OUTPUT_VERSION = "1.5";
 export interface ScoreBreakdown {
     baseScore: number;
     duplicates: number;