devcompass 1.0.5 → 2.1.0

package/README.md

@@ -1,19 +1,25 @@
 # 🧭 DevCompass
 
-**Dependency health checker for JavaScript/TypeScript projects**
+**Dependency health checker with ecosystem intelligence for JavaScript/TypeScript projects**
 
 [![npm version](https://img.shields.io/npm/v/devcompass.svg)](https://www.npmjs.com/package/devcompass)
 [![npm downloads](https://img.shields.io/npm/dm/devcompass.svg)](https://www.npmjs.com/package/devcompass)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-Analyze your JavaScript projects to find unused dependencies, outdated packages, and get a health score.
+Analyze your JavaScript projects to find unused dependencies, outdated packages, **detect known security issues**, and **automatically fix them** with a single command.
+
+> **NEW in v2.1:** Auto-fix command! 🔧 Fix critical issues automatically!  
+> **NEW in v2.0:** Real-time ecosystem alerts for known issues! 🚨
 
 ## ✨ Features
 
+- 🔧 **Auto-Fix Command** (NEW in v2.1!) - Fix issues automatically with one command
+- 🚨 **Ecosystem Intelligence** - Detect known issues before they break production
 - 🔍 **Detect unused dependencies** - Find packages you're not actually using
 - 📦 **Check for outdated packages** - See what needs updating
+- 🔐 **Security alerts** - Critical vulnerabilities and deprecated packages
 - 📊 **Project health score** - Get a 0-10 rating for your dependencies
-- 🎨 **Beautiful terminal UI** - Colored output with clear sections
+- 🎨 **Beautiful terminal UI** - Colored output with severity indicators
 - ⚡ **Fast analysis** - Scans projects in seconds
 - 🔧 **Framework-aware** - Handles React, Next.js, Angular, NestJS, PostCSS, Tailwind
 
@@ -36,48 +42,219 @@ npx devcompass analyze
 
 ## 📖 Usage
 
+### Analyze Your Project
 Navigate to your project directory and run:
 ```bash
 devcompass analyze
 ```
 
+### Auto-Fix Issues (NEW in v2.1!)
+Automatically fix detected issues:
+```bash
+devcompass fix
+```
+
+## 🔧 Auto-Fix Command (NEW in v2.1!)
+
+DevCompass can now **automatically fix issues** in your project!
+
+### What it does:
+- 🔴 **Fixes critical security issues** - Upgrades packages with known vulnerabilities
+- 🧹 **Removes unused dependencies** - Cleans up packages you're not using
+- ⬆️ **Safe updates** - Applies patch and minor updates automatically
+- ⚠️ **Skips breaking changes** - Major updates require manual review
+
+### Usage
+```bash
+# Interactive mode (asks for confirmation)
+devcompass fix
+
+# Auto-apply without confirmation
+devcompass fix --yes
+devcompass fix -y
+
+# Fix specific directory
+devcompass fix --path /path/to/project
+```
+
 ### Example Output
 ```
-🔍 DevCompass v1.0.1 - Analyzing your project...
+🔧 DevCompass Fix - Analyzing and fixing your project...
+
+🔴 CRITICAL ISSUES TO FIX:
+
+🔴 lodash@4.17.19
+   Issue: Prototype pollution vulnerability
+   Fix: Upgrade to 4.17.21
+
+🟠 axios@1.6.0
+   Issue: Memory leak in request interceptors
+   Fix: Upgrade to 1.6.2
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+🧹 UNUSED DEPENDENCIES TO REMOVE:
+
+  ● moment
+  ● express
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+⬆️  SAFE UPDATES (patch/minor):
+
+  react-dom: 18.2.0 → 18.2.1 (patch update)
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+⚠️  MAJOR UPDATES (skipped - may have breaking changes):
+
+  express: 4.18.0 → 5.2.1
+
+  Run these manually after reviewing changelog:
+  npm install express@5.2.1
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+📊 FIX SUMMARY:
+
+  Critical fixes:  2
+  Remove unused:   2
+  Safe updates:    1
+  Skipped major:   1
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+❓ Apply these fixes? (y/N): y
+
+🔧 Applying fixes...
+
+✔ ✅ Removed 2 unused packages
+✔ ✅ Fixed lodash@4.17.21
+✔ ✅ Fixed axios@1.6.2
+✔ ✅ Updated 1 packages
+
+✨ All fixes applied successfully!
+
+💡 Run devcompass analyze to see the new health score.
+```
+
+### Safety Features
+- ✅ Shows what will be changed before applying
+- ✅ Requires confirmation (unless `--yes` flag used)
+- ✅ Skips major updates (may have breaking changes)
+- ✅ Groups actions by priority (critical → cleanup → updates)
+- ✅ Provides clear summary of changes
+
+### Workflow Example
+```bash
+# 1. Analyze your project
+devcompass analyze
+
+# 2. If issues found, auto-fix them
+devcompass fix
+
+# 3. Verify the improvements
+devcompass analyze
+```
+
+## 📊 Analyze Command
+
+### Example Output (v2.1)
+```
+🔍 DevCompass v2.1.0 - Analyzing your project...
 ✔ Scanned 15 dependencies in project
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+🚨 ECOSYSTEM ALERTS (2)
+
+🔴 CRITICAL
+  lodash@4.17.19
+    Issue: Prototype pollution vulnerability
+    Affected: <4.17.21
+    Fix: 4.17.21
+    Source: npm advisory 1523
+
+🟠 HIGH
+  axios@1.6.0
+    Issue: Memory leak in request interceptors
+    Affected: >=1.5.0 <1.6.2
+    Fix: 1.6.2
+    Source: GitHub Issue #5456
+
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
 🔴 UNUSED DEPENDENCIES (2)
-  ● lodash
   ● moment
+  ● request
 
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
 🟡 OUTDATED PACKAGES (3)
   react          18.2.0 → ^19.0.0  (major update)
-  axios          1.4.0 → ^1.6.0   (minor update)
   express        4.18.0 → ^4.19.0  (patch update)
 
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
 📊 PROJECT HEALTH
-  Overall Score:       6.5/10
+  Overall Score:       5.5/10
   Total Dependencies:  15
+  Ecosystem Alerts:    2
   Unused:              2
   Outdated:            3
 
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
-💡 QUICK WIN
-  Clean up unused dependencies:
-  npm uninstall lodash moment
+💡 QUICK WINS
+  🔴 Fix critical issues:
+
+  npm install lodash@4.17.21
+  npm install axios@1.6.2
+
+  🧹 Clean up unused dependencies:
+
+  npm uninstall moment request
 
   Expected impact:
+  ✓ Resolve critical security/stability issues
   ✓ Remove 2 unused packages
   ✓ Reduce node_modules size
-  ✓ Improve health score → 7.5/10
+  ✓ Improve health score → 8.5/10
+
+💡 TIP: Run 'devcompass fix' to apply these fixes automatically!
 ```
 
+## 🚨 Ecosystem Intelligence
+
+DevCompass tracks **real-world issues** in popular packages and warns you before they break production!
+
+### What Gets Detected:
+- 🔴 **Critical security vulnerabilities** - Zero-day exploits, prototype pollution
+- 🟠 **High-severity bugs** - Memory leaks, data corruption, breaking changes
+- 🟡 **Deprecated packages** - Unmaintained dependencies
+- ⚪ **Low-priority issues** - Minor bugs, cosmetic problems
+
+### Severity Levels:
+- **CRITICAL** - Immediate security risk or data loss (−2.0 points per issue)
+- **HIGH** - Production stability issues (−1.5 points per issue)
+- **MEDIUM** - Maintenance concerns, deprecations (−0.5 points per issue)
+- **LOW** - Minor issues (−0.2 points per issue)
+
+### Currently Tracked Packages:
+- **axios** - Memory leaks, breaking changes
+- **lodash** - Security vulnerabilities (prototype pollution)
+- **moment** - Deprecation notice
+- **express** - Security issues in dependencies
+- **request** - Package deprecated
+
+> More packages being added regularly! [Suggest a package](https://github.com/AjayBThorat-20/devcompass/issues)
+
+### How It Works:
+1. Reads your actual installed versions from `node_modules`
+2. Matches against curated issues database
+3. Uses semantic versioning for precise detection
+4. Shows actionable fix commands
+
 ## 🎯 What It Detects
 
 ### Unused Dependencies
@@ -100,25 +277,41 @@ DevCompass won't flag these as unused (they're typically used in config files):
 - Shows current vs latest versions
 - Indicates update type (major/minor/patch)
 
-### Health Score
-- Calculated from 0-10 based on:
-  - Percentage of unused dependencies (-4 points per 100%)
-  - Percentage of outdated packages (-3 points per 100%)
+### Health Score (Enhanced in v2.0)
+Calculated from 0-10 based on:
+- Percentage of unused dependencies (−4 points per 100%)
+- Percentage of outdated packages (−3 points per 100%)
+- Ecosystem alerts by severity (−0.2 to −2.0 per issue)
 - Higher score = healthier project
 
-## ⚙️ Options
+## ⚙️ Commands & Options
+
+### Commands
 ```bash
-# Analyze current directory
+# Analyze project dependencies
 devcompass analyze
 
-# Analyze specific directory
-devcompass analyze --path /path/to/project
+# Auto-fix issues
+devcompass fix
 
 # Show version
 devcompass --version
+devcompass -v
 
 # Show help
 devcompass --help
+devcompass -h
+```
+
+### Options
+```bash
+# Analyze/fix specific directory
+devcompass analyze --path /path/to/project
+devcompass fix --path /path/to/project
+
+# Auto-fix without confirmation
+devcompass fix --yes
+devcompass fix -y
 ```
 
 ## ⚠️ Known Issues & Best Practices
@@ -147,9 +340,10 @@ If you encounter a false positive, please [report it](https://github.com/AjayBTh
 ## 💡 Tips
 
 1. **Run regularly** - Add to your CI/CD pipeline or git hooks
-2. **Check before updates** - See what's outdated before updating
-3. **Clean up first** - Remove unused deps before adding new ones
-4. **Verify before uninstalling** - DevCompass helps identify candidates, but always verify before removing
+2. **Use fix command** - Let DevCompass handle routine maintenance
+3. **Fix critical alerts first** - Prioritize security and stability
+4. **Review major updates** - Always check changelogs before major version bumps
+5. **Verify before uninstalling** - DevCompass helps identify candidates, but always verify
 
 ## 🤝 Contributing
 
@@ -161,6 +355,27 @@ Contributions are welcome! Feel free to:
 4. Push to the branch (`git push origin feature/amazing-feature`)
 5. Open a Pull Request
 
+### Adding Issues to Database
+Want to add known issues for a package?
+
+1. Edit `data/issues-db.json`
+2. Follow the existing format:
+```json
+{
+  "package-name": [
+    {
+      "title": "Brief issue description",
+      "severity": "critical|high|medium|low",
+      "affected": "semver range (e.g., >=1.0.0 <2.0.0)",
+      "fix": "Fixed version or migration advice",
+      "source": "GitHub Issue #123 or npm advisory",
+      "reported": "YYYY-MM-DD"
+    }
+  ]
+}
+```
+3. Submit a PR with your additions!
+
 ### Development
 ```bash
 # Clone the repo
@@ -172,10 +387,15 @@ npm install
 
 # Test locally
 node bin/devcompass.js analyze
+node bin/devcompass.js fix
 
 # Run on test projects
-cd examples/test-project
-node ../../bin/devcompass.js analyze
+cd /tmp
+mkdir test-project && cd test-project
+npm init -y
+npm install axios@1.6.0 lodash@4.17.19
+node ~/devcompass/bin/devcompass.js analyze
+node ~/devcompass/bin/devcompass.js fix
 ```
 
 ## 📝 License
@@ -197,6 +417,7 @@ Built with:
 - [chalk](https://github.com/chalk/chalk) - Terminal colors
 - [ora](https://github.com/sindresorhus/ora) - Spinners
 - [commander](https://github.com/tj/commander.js) - CLI framework
+- [semver](https://github.com/npm/node-semver) - Semantic versioning
 
 ## 📈 Stats
 
@@ -204,8 +425,24 @@ Check out DevCompass stats:
 - [npm trends](https://npmtrends.com/devcompass)
 - [npm-stat](https://npm-stat.com/charts.html?package=devcompass)
 
+## 🌟 What's Next?
+
+### Roadmap (v2.2+)
+- [x] ~~Automatic fix command~~ ✅ **Added in v2.1!**
+- [ ] Integration with `npm audit` for automated security scanning
+- [ ] CI/CD integration with `--json` output
+- [ ] GitHub Issues API for real-time issue tracking
+- [ ] Web dashboard for team health monitoring
+- [ ] More tracked packages (React, Next.js, Vue, Angular)
+- [ ] Custom ignore rules via config file
+- [ ] Bundle size analysis
+
+Want to contribute? Pick an item and open an issue! 🚀
+
 ---
 
 **Made with ❤️ by [Ajay Thorat](https://github.com/AjayBThorat-20)**
 
-*DevCompass - Keep your dependencies healthy!* 🧭
+*DevCompass - Keep your dependencies healthy!* 🧭
+
+**Like Lighthouse for your dependencies** ⚡

package/bin/devcompass.js

@@ -4,6 +4,7 @@ const { Command } = require('commander');
 const chalk = require('chalk');
 const path = require('path');
 const { analyze } = require('../src/commands/analyze');
+const { fix } = require('../src/commands/fix');
 const packageJson = require('../package.json');
 
 // Check if running from local node_modules
@@ -31,4 +32,11 @@ program
   .option('-p, --path <path>', 'Project path', process.cwd())
   .action(analyze);
 
-program.parse();
+program
+  .command('fix')
+  .description('Fix issues automatically (remove unused, update safe packages)')
+  .option('-p, --path <path>', 'Project path', process.cwd())
+  .option('-y, --yes', 'Skip confirmation prompt', false)
+  .action(fix);
+
+program.parse();

package/data/issues-db.json

@@ -0,0 +1,60 @@
+{
+  "axios": [
+    {
+      "title": "Memory leak in request interceptors",
+      "severity": "high",
+      "affected": ">=1.5.0 <1.6.2",
+      "fix": "1.6.2",
+      "source": "GitHub Issue #5456",
+      "reported": "2024-01-15"
+    },
+    {
+      "title": "Breaking change in error handling",
+      "severity": "medium",
+      "affected": ">=1.4.0 <1.5.0",
+      "fix": "1.5.0",
+      "source": "GitHub Release Notes",
+      "reported": "2023-11-20"
+    }
+  ],
+  "lodash": [
+    {
+      "title": "Prototype pollution vulnerability",
+      "severity": "critical",
+      "affected": "<4.17.21",
+      "fix": "4.17.21",
+      "source": "npm advisory 1523",
+      "reported": "2021-02-15"
+    }
+  ],
+  "moment": [
+    {
+      "title": "Package is deprecated - no longer maintained",
+      "severity": "medium",
+      "affected": "*",
+      "fix": "Use dayjs or date-fns instead",
+      "source": "npm deprecation notice",
+      "reported": "2023-09-01"
+    }
+  ],
+  "request": [
+    {
+      "title": "Package deprecated - use node-fetch or axios",
+      "severity": "high",
+      "affected": "*",
+      "fix": "Migrate to axios or node-fetch",
+      "source": "npm deprecation notice",
+      "reported": "2020-02-11"
+    }
+  ],
+  "express": [
+    {
+      "title": "Security vulnerability in qs dependency",
+      "severity": "medium",
+      "affected": ">=4.0.0 <4.18.2",
+      "fix": "4.18.2",
+      "source": "npm advisory 1867",
+      "reported": "2022-11-26"
+    }
+  ]
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "devcompass",
-  "version": "1.0.5",
-  "description": "Analyze your JavaScript projects for unused dependencies and outdated packages",
+  "version": "2.1.0",
+  "description": "Dependency health checker with ecosystem intelligence for JavaScript/TypeScript projects",
   "main": "src/index.js",
   "bin": {
     "devcompass": "./bin/devcompass.js"
@@ -9,6 +9,7 @@
   "files": [
     "bin/",
     "src/",
+    "data/",
     "README.md",
     "LICENSE"
   ],
@@ -25,7 +26,10 @@
     "cli",
     "devtools",
     "package-manager",
-    "dependency-analysis"
+    "dependency-analysis",
+    "security",
+    "ecosystem",
+    "alerts"
   ],
   "author": "Ajay Thorat <ajaythorat988@gmail.com>",
   "license": "MIT",
@@ -34,7 +38,8 @@
     "commander": "^11.1.0",
     "depcheck": "^1.4.7",
     "npm-check-updates": "^16.14.12",
-    "ora": "^5.4.1"
+    "ora": "^5.4.1",
+    "semver": "^7.6.0"
   },
   "engines": {
     "node": ">=14.0.0"

package/src/alerts/formatter.js

@@ -0,0 +1,68 @@
+const chalk = require('chalk');
+
+/**
+ * Format alerts for terminal output
+ */
+function formatAlerts(alerts) {
+  if (alerts.length === 0) {
+    return null;
+  }
+  
+  // Group alerts by package
+  const grouped = {};
+  
+  alerts.forEach(alert => {
+    if (!grouped[alert.package]) {
+      grouped[alert.package] = [];
+    }
+    grouped[alert.package].push(alert);
+  });
+  
+  return grouped;
+}
+
+/**
+ * Get severity emoji and color
+ */
+function getSeverityDisplay(severity) {
+  const displays = {
+    critical: { emoji: '🔴', color: chalk.red.bold, label: 'CRITICAL' },
+    high: { emoji: '🟠', color: chalk.red, label: 'HIGH' },
+    medium: { emoji: '🟡', color: chalk.yellow, label: 'MEDIUM' },
+    low: { emoji: '⚪', color: chalk.gray, label: 'LOW' }
+  };
+  
+  return displays[severity] || displays.medium;
+}
+
+/**
+ * Calculate alert impact on health score
+ */
+function calculateAlertPenalty(alerts) {
+  let penalty = 0;
+  
+  alerts.forEach(alert => {
+    switch (alert.severity) {
+      case 'critical':
+        penalty += 2.0;
+        break;
+      case 'high':
+        penalty += 1.5;
+        break;
+      case 'medium':
+        penalty += 0.5;
+        break;
+      case 'low':
+        penalty += 0.2;
+        break;
+    }
+  });
+  
+  return Math.min(penalty, 5.0); // Cap at 5 points max
+}
+
+module.exports = { 
+  formatAlerts, 
+  getSeverityDisplay, 
+  calculateAlertPenalty 
+};

package/src/alerts/index.js

@@ -0,0 +1,31 @@
+const { matchIssues } = require('./matcher');
+const { formatAlerts } = require('./formatter');
+const { resolveInstalledVersions } = require('./resolver');
+const path = require('path');
+const fs = require('fs');
+
+async function checkEcosystemAlerts(projectPath, dependencies) {
+  try {
+    // Load issues database
+    const issuesDbPath = path.join(__dirname, '../../data/issues-db.json');
+    
+    if (!fs.existsSync(issuesDbPath)) {
+      return []; // No alerts if database doesn't exist
+    }
+    
+    const issuesDb = JSON.parse(fs.readFileSync(issuesDbPath, 'utf8'));
+    
+    // Resolve installed versions from node_modules
+    const installedVersions = await resolveInstalledVersions(projectPath, dependencies);
+    
+    // Match issues against installed versions
+    const alerts = matchIssues(installedVersions, issuesDb);
+    
+    return alerts;
+  } catch (error) {
+    console.error('Error in checkEcosystemAlerts:', error.message);
+    return []; // Return empty array on error, don't break analysis
+  }
+}
+
+module.exports = { checkEcosystemAlerts };

package/src/alerts/matcher.js

@@ -0,0 +1,50 @@
+const semver = require('semver');
+
+/**
+ * Match installed packages against known issues database
+ */
+function matchIssues(installedVersions, issuesDb) {
+  const alerts = [];
+  
+  for (const [packageName, versionInfo] of Object.entries(installedVersions)) {
+    // Check if this package has known issues
+    if (!issuesDb[packageName]) {
+      continue;
+    }
+    
+    const packageIssues = issuesDb[packageName];
+    const installedVersion = versionInfo.version;
+    
+    // Check each issue for this package
+    for (const issue of packageIssues) {
+      try {
+        // Use semver to check if installed version is affected
+        if (semver.satisfies(installedVersion, issue.affected)) {
+          alerts.push({
+            package: packageName,
+            version: installedVersion,
+            severity: issue.severity,
+            title: issue.title,
+            affected: issue.affected,
+            fix: issue.fix || null,
+            source: issue.source || null,
+            reported: issue.reported || null
+          });
+        }
+      } catch (error) {
+        // Skip if semver parsing fails
+        continue;
+      }
+    }
+  }
+  
+  // Sort by severity: critical > high > medium > low
+  const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+  alerts.sort((a, b) => {
+    return severityOrder[a.severity] - severityOrder[b.severity];
+  });
+  
+  return alerts;
+}
+
+module.exports = { matchIssues };

package/src/alerts/resolver.js

@@ -0,0 +1,45 @@
+const path = require('path');
+const fs = require('fs');
+
+/**
+ * Resolve actual installed versions from node_modules
+ * This is CRITICAL - we need installed version, not package.json version
+ */
+async function resolveInstalledVersions(projectPath, dependencies) {
+  const installedVersions = {};
+  
+  for (const [packageName, declaredVersion] of Object.entries(dependencies)) {
+    try {
+      const packageJsonPath = path.join(
+        projectPath,
+        'node_modules',
+        packageName,
+        'package.json'
+      );
+      
+      if (fs.existsSync(packageJsonPath)) {
+        const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+        installedVersions[packageName] = {
+          name: packageName,
+          version: packageJson.version, // Clean version like "1.6.0"
+          declaredVersion: declaredVersion // What's in package.json like "^1.6.0"
+        };
+      } else {
+        // Fallback: use declared version (strip prefixes)
+        const cleanVersion = declaredVersion.replace(/^[\^~>=<]/, '');
+        installedVersions[packageName] = {
+          name: packageName,
+          version: cleanVersion,
+          declaredVersion: declaredVersion
+        };
+      }
+    } catch (error) {
+      // Skip packages that can't be resolved
+      continue;
+    }
+  }
+  
+  return installedVersions;
+}
+
+module.exports = { resolveInstalledVersions };

package/src/analyzers/scoring.js

@@ -1,4 +1,4 @@
-function calculateScore(totalDeps, unusedCount, outdatedCount) {
+function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0, alertPenalty = 0) {
   let score = 10;
   
   if (totalDeps === 0) {
@@ -7,20 +7,28 @@ function calculateScore(totalDeps, unusedCount, outdatedCount) {
       breakdown: {
         unused: 0,
         outdated: 0,
+        alerts: 0,
         unusedPenalty: 0,
-        outdatedPenalty: 0
+        outdatedPenalty: 0,
+        alertsPenalty: 0
       }
     };
   }
   
+  // Unused dependencies penalty
   const unusedRatio = unusedCount / totalDeps;
   const unusedPenalty = unusedRatio * 4;
   score -= unusedPenalty;
   
+  // Outdated packages penalty
   const outdatedRatio = outdatedCount / totalDeps;
   const outdatedPenalty = outdatedRatio * 3;
   score -= outdatedPenalty;
   
+  // Ecosystem alerts penalty (from formatter.calculateAlertPenalty)
+  score -= alertPenalty;
+  
+  // Ensure score is between 0 and 10
   score = Math.max(0, Math.min(10, score));
   
   return {
@@ -28,8 +36,10 @@ function calculateScore(totalDeps, unusedCount, outdatedCount) {
     breakdown: {
       unused: unusedCount,
       outdated: outdatedCount,
+      alerts: alertsCount,
       unusedPenalty: parseFloat(unusedPenalty.toFixed(1)),
-      outdatedPenalty: parseFloat(outdatedPenalty.toFixed(1))
+      outdatedPenalty: parseFloat(outdatedPenalty.toFixed(1)),
+      alertsPenalty: parseFloat(alertPenalty.toFixed(1))
     }
   };
 }

package/src/commands/analyze.js

@@ -1,4 +1,3 @@
-// src/commands/analyze.js
 const chalk = require('chalk');
 const ora = require('ora');
 const path = require('path');
@@ -7,6 +6,12 @@ const fs = require('fs');
 const { findUnusedDeps } = require('../analyzers/unused-deps');
 const { findOutdatedDeps } = require('../analyzers/outdated');
 const { calculateScore } = require('../analyzers/scoring');
+const { checkEcosystemAlerts } = require('../alerts');
+const { 
+  formatAlerts, 
+  getSeverityDisplay, 
+  calculateAlertPenalty 
+} = require('../alerts/formatter');
 const { 
   log, 
   logSection, 
@@ -58,8 +63,17 @@ async function analyze(options) {
       process.exit(0);
     }
     
-    spinner.text = 'Detecting unused dependencies...';
+    // Check for ecosystem alerts
+    spinner.text = 'Checking ecosystem alerts...';
+    let alerts = [];
+    try {
+      alerts = await checkEcosystemAlerts(projectPath, dependencies);
+    } catch (error) {
+      console.log(chalk.yellow('\n⚠️  Could not check ecosystem alerts'));
+      console.log(chalk.gray(`   Error: ${error.message}\n`));
+    }
     
+    spinner.text = 'Detecting unused dependencies...';
     let unusedDeps = [];
     try {
       unusedDeps = await findUnusedDeps(projectPath, dependencies);
@@ -69,7 +83,6 @@ async function analyze(options) {
     }
     
     spinner.text = 'Checking for outdated packages...';
-    
     let outdatedDeps = [];
     try {
       outdatedDeps = await findOutdatedDeps(projectPath, dependencies);
@@ -78,15 +91,18 @@ async function analyze(options) {
       console.log(chalk.gray(`   Error: ${error.message}\n`));
     }
     
+    const alertPenalty = calculateAlertPenalty(alerts);
     const score = calculateScore(
       totalDeps,
       unusedDeps.length,
-      outdatedDeps.length
+      outdatedDeps.length,
+      alerts.length,
+      alertPenalty
     );
     
     spinner.succeed(chalk.green(`Scanned ${totalDeps} dependencies in project`));
     
-    displayResults(unusedDeps, outdatedDeps, score, totalDeps);
+    displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps);
     
   } catch (error) {
     spinner.fail(chalk.red('Analysis failed'));
@@ -98,13 +114,53 @@ async function analyze(options) {
   }
 }
 
-function displayResults(unusedDeps, outdatedDeps, score, totalDeps) {
+function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
   logDivider();
   
+  // ECOSYSTEM ALERTS (NEW SECTION)
+  if (alerts.length > 0) {
+    logSection('🚨 ECOSYSTEM ALERTS', alerts.length);
+    
+    const grouped = formatAlerts(alerts);
+    
+    Object.entries(grouped).forEach(([packageName, packageAlerts]) => {
+      const firstAlert = packageAlerts[0];
+      const display = getSeverityDisplay(firstAlert.severity);
+      
+      log(`\n${display.emoji} ${display.color(display.label)}`);
+      log(`  ${chalk.bold(packageName)}${chalk.gray('@' + firstAlert.version)}`);
+      
+      packageAlerts.forEach((alert, index) => {
+        if (index > 0) {
+          const alertDisplay = getSeverityDisplay(alert.severity);
+          log(`\n  ${alertDisplay.emoji} ${alertDisplay.color(alertDisplay.label)}`);
+        }
+        
+        log(`    ${chalk.yellow('Issue:')} ${alert.title}`);
+        log(`    ${chalk.gray('Affected:')} ${alert.affected}`);
+        
+        if (alert.fix) {
+          log(`    ${chalk.green('Fix:')} ${alert.fix}`);
+        }
+        
+        if (alert.source) {
+          log(`    ${chalk.gray('Source:')} ${alert.source}`);
+        }
+      });
+    });
+    
+    log('');
+  } else {
+    logSection('✅ ECOSYSTEM ALERTS');
+    log(chalk.green('  No known issues detected!\n'));
+  }
+  
+  logDivider();
+  
+  // UNUSED DEPENDENCIES
   if (unusedDeps.length > 0) {
     logSection('🔴 UNUSED DEPENDENCIES', unusedDeps.length);
     
-    // Show ALL unused deps
     unusedDeps.forEach(dep => {
       log(`  ${chalk.red('●')} ${dep.name}`);
     });
@@ -120,10 +176,10 @@ function displayResults(unusedDeps, outdatedDeps, score, totalDeps) {
   
   logDivider();
   
+  // OUTDATED PACKAGES
   if (outdatedDeps.length > 0) {
     logSection('🟡 OUTDATED PACKAGES', outdatedDeps.length);
     
-    // Show ALL outdated packages
     outdatedDeps.forEach(dep => {
       const nameCol = dep.name.padEnd(20);
       const currentVer = chalk.yellow(dep.current);
@@ -142,36 +198,79 @@ function displayResults(unusedDeps, outdatedDeps, score, totalDeps) {
   
   logDivider();
   
+  // PROJECT HEALTH
   logSection('📊 PROJECT HEALTH');
   
   const scoreColor = getScoreColor(score.total);
   log(`  Overall Score:              ${scoreColor(score.total + '/10')}`);
   log(`  Total Dependencies:         ${chalk.cyan(totalDeps)}`);
+  
+  if (alerts.length > 0) {
+    log(`  Ecosystem Alerts:           ${chalk.red(alerts.length)}`);
+  }
+  
   log(`  Unused:                     ${chalk.red(unusedDeps.length)}`);
   log(`  Outdated:                   ${chalk.yellow(outdatedDeps.length)}\n`);
   
   logDivider();
   
-  if (unusedDeps.length > 0) {
-    logSection('💡 QUICK WIN');
-    log('  Clean up unused dependencies:\n');
-    
-    const packagesToRemove = unusedDeps
-      .map(d => d.name)
-      .join(' ');
+  // QUICK WINS
+  displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+}
+
+function displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
+  const hasCriticalAlerts = alerts.some(a => a.severity === 'critical' || a.severity === 'high');
+  
+  if (hasCriticalAlerts || unusedDeps.length > 0) {
+    logSection('💡 QUICK WINS');
     
-    log(chalk.cyan(`  npm uninstall ${packagesToRemove}\n`));
+    // Fix critical alerts first
+    if (hasCriticalAlerts) {
+      const criticalAlerts = alerts.filter(a => a.severity === 'critical' || a.severity === 'high');
+      
+      log('  🔴 Fix critical issues:\n');
+      
+      criticalAlerts.forEach(alert => {
+        if (alert.fix && alert.fix.includes('.')) {
+          // It's a version number
+          log(chalk.cyan(`  npm install ${alert.package}@${alert.fix}`));
+        } else {
+          log(chalk.gray(`  ${alert.package}: ${alert.fix}`));
+        }
+      });
+      
+      log('');
+    }
     
-    log('  Expected impact:');
-    log(`  ${chalk.green('✓')} Remove ${unusedDeps.length} unused package${unusedDeps.length > 1 ? 's' : ''}`);
-    log(`  ${chalk.green('✓')} Reduce node_modules size`);
+    // Remove unused deps
+    if (unusedDeps.length > 0) {
+      log('  🧹 Clean up unused dependencies:\n');
+      
+      const packagesToRemove = unusedDeps.map(d => d.name).join(' ');
+      log(chalk.cyan(`  npm uninstall ${packagesToRemove}\n`));
+    }
     
+    // Show expected impact
+    const alertPenalty = calculateAlertPenalty(alerts.filter(a => a.severity !== 'critical' && a.severity !== 'high'));
     const improvedScore = calculateScore(
       totalDeps - unusedDeps.length,
       0,
-      outdatedDeps.length
+      outdatedDeps.length,
+      alerts.length - alerts.filter(a => a.severity === 'critical' || a.severity === 'high').length,
+      alertPenalty
     );
     
+    log('  Expected impact:');
+    
+    if (hasCriticalAlerts) {
+      log(`  ${chalk.green('✓')} Resolve critical security/stability issues`);
+    }
+    
+    if (unusedDeps.length > 0) {
+      log(`  ${chalk.green('✓')} Remove ${unusedDeps.length} unused package${unusedDeps.length > 1 ? 's' : ''}`);
+      log(`  ${chalk.green('✓')} Reduce node_modules size`);
+    }
+    
     const improvedScoreColor = getScoreColor(improvedScore.total);
     log(`  ${chalk.green('✓')} Improve health score → ${improvedScoreColor(improvedScore.total + '/10')}\n`);
     

package/src/commands/fix.js

@@ -0,0 +1,246 @@
+const chalk = require('chalk');
+const ora = require('ora');
+const { execSync } = require('child_process');
+const readline = require('readline');
+
+const { findUnusedDeps } = require('../analyzers/unused-deps');
+const { findOutdatedDeps } = require('../analyzers/outdated');
+const { checkEcosystemAlerts } = require('../alerts');
+const { getSeverityDisplay } = require('../alerts/formatter');
+
+async function fix(options) {
+  const projectPath = options.path || process.cwd();
+  
+  console.log('\n');
+  console.log(chalk.cyan.bold('🔧 DevCompass Fix') + ' - Analyzing and fixing your project...\n');
+  
+  const spinner = ora({
+    text: 'Analyzing project...',
+    color: 'cyan'
+  }).start();
+  
+  try {
+    const fs = require('fs');
+    const path = require('path');
+    const packageJsonPath = path.join(projectPath, 'package.json');
+    
+    if (!fs.existsSync(packageJsonPath)) {
+      spinner.fail(chalk.red('No package.json found'));
+      process.exit(1);
+    }
+    
+    const projectPackageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+    const dependencies = {
+      ...(projectPackageJson.dependencies || {}),
+      ...(projectPackageJson.devDependencies || {})
+    };
+    
+    // Check for critical alerts first
+    spinner.text = 'Checking for critical issues...';
+    const alerts = await checkEcosystemAlerts(projectPath, dependencies);
+    const criticalAlerts = alerts.filter(a => a.severity === 'critical' || a.severity === 'high');
+    
+    // Find unused dependencies
+    spinner.text = 'Finding unused dependencies...';
+    const unusedDeps = await findUnusedDeps(projectPath, dependencies);
+    
+    // Find outdated packages
+    spinner.text = 'Checking for updates...';
+    const outdatedDeps = await findOutdatedDeps(projectPath, dependencies);
+    
+    spinner.succeed(chalk.green('Analysis complete!\n'));
+    
+    // Show what will be fixed
+    await showFixPlan(criticalAlerts, unusedDeps, outdatedDeps, options);
+    
+  } catch (error) {
+    spinner.fail(chalk.red('Analysis failed'));
+    console.log(chalk.red(`\n❌ Error: ${error.message}\n`));
+    process.exit(1);
+  }
+}
+
+async function showFixPlan(criticalAlerts, unusedDeps, outdatedDeps, options) {
+  const actions = [];
+  
+  // Critical alerts
+  if (criticalAlerts.length > 0) {
+    console.log(chalk.red.bold('🔴 CRITICAL ISSUES TO FIX:\n'));
+    
+    criticalAlerts.forEach(alert => {
+      const display = getSeverityDisplay(alert.severity);
+      console.log(`${display.emoji} ${chalk.bold(alert.package)}@${alert.version}`);
+      console.log(`   ${chalk.gray('Issue:')} ${alert.title}`);
+      
+      if (alert.fix && /^\d+\.\d+/.test(alert.fix)) {
+        console.log(`   ${chalk.green('Fix:')} Upgrade to ${alert.fix}\n`);
+        actions.push({
+          type: 'upgrade',
+          package: alert.package,
+          version: alert.fix,
+          reason: 'Critical security/stability issue'
+        });
+      } else {
+        console.log(`   ${chalk.yellow('Fix:')} ${alert.fix}\n`);
+      }
+    });
+    
+    console.log('━'.repeat(70) + '\n');
+  }
+  
+  // Unused dependencies
+  if (unusedDeps.length > 0) {
+    console.log(chalk.yellow.bold('🧹 UNUSED DEPENDENCIES TO REMOVE:\n'));
+    
+    unusedDeps.forEach(dep => {
+      console.log(`  ${chalk.red('●')} ${dep.name}`);
+      actions.push({
+        type: 'uninstall',
+        package: dep.name,
+        reason: 'Not used in project'
+      });
+    });
+    
+    console.log('\n' + '━'.repeat(70) + '\n');
+  }
+  
+  // Safe updates (patch/minor only)
+  const safeUpdates = outdatedDeps.filter(dep => 
+    dep.versionsBehind === 'patch update' || dep.versionsBehind === 'minor update'
+  );
+  
+  if (safeUpdates.length > 0) {
+    console.log(chalk.cyan.bold('⬆️  SAFE UPDATES (patch/minor):\n'));
+    
+    safeUpdates.forEach(dep => {
+      console.log(`  ${dep.name}: ${chalk.yellow(dep.current)} → ${chalk.green(dep.latest)} ${chalk.gray(`(${dep.versionsBehind})`)}`);
+      actions.push({
+        type: 'update',
+        package: dep.name,
+        version: dep.latest,
+        reason: dep.versionsBehind
+      });
+    });
+    
+    console.log('\n' + '━'.repeat(70) + '\n');
+  }
+  
+  // Major updates (show but don't auto-apply)
+  const majorUpdates = outdatedDeps.filter(dep => dep.versionsBehind === 'major update');
+  
+  if (majorUpdates.length > 0) {
+    console.log(chalk.gray.bold('⚠️  MAJOR UPDATES (skipped - may have breaking changes):\n'));
+    
+    majorUpdates.forEach(dep => {
+      console.log(`  ${chalk.gray(dep.name)}: ${dep.current} → ${dep.latest}`);
+    });
+    
+    console.log(chalk.gray('\n  Run these manually after reviewing changelog:\n'));
+    majorUpdates.forEach(dep => {
+      console.log(chalk.gray(`  npm install ${dep.name}@${dep.latest}`));
+    });
+    
+    console.log('\n' + '━'.repeat(70) + '\n');
+  }
+  
+  if (actions.length === 0) {
+    console.log(chalk.green('✨ Everything looks good! No fixes needed.\n'));
+    return;
+  }
+  
+  // Summary
+  console.log(chalk.bold('📊 FIX SUMMARY:\n'));
+  console.log(`  Critical fixes:  ${criticalAlerts.length}`);
+  console.log(`  Remove unused:   ${unusedDeps.length}`);
+  console.log(`  Safe updates:    ${safeUpdates.length}`);
+  console.log(`  Skipped major:   ${majorUpdates.length}\n`);
+  
+  console.log('━'.repeat(70) + '\n');
+  
+  // Confirm
+  if (options.yes) {
+    await applyFixes(actions);
+  } else {
+    const confirmed = await askConfirmation('\n❓ Apply these fixes?');
+    
+    if (confirmed) {
+      await applyFixes(actions);
+    } else {
+      console.log(chalk.yellow('\n⚠️  Fix cancelled. No changes made.\n'));
+    }
+  }
+}
+
+async function applyFixes(actions) {
+  console.log(chalk.cyan.bold('\n🔧 Applying fixes...\n'));
+  
+  const spinner = ora('Processing...').start();
+  
+  try {
+    // Group by type
+    const toUninstall = actions.filter(a => a.type === 'uninstall').map(a => a.package);
+    const toUpgrade = actions.filter(a => a.type === 'upgrade');
+    const toUpdate = actions.filter(a => a.type === 'update');
+    
+    // Uninstall unused
+    if (toUninstall.length > 0) {
+      spinner.text = `Removing ${toUninstall.length} unused packages...`;
+      
+      const cmd = `npm uninstall ${toUninstall.join(' ')}`;
+      execSync(cmd, { stdio: 'pipe' });
+      
+      spinner.succeed(chalk.green(`✅ Removed ${toUninstall.length} unused packages`));
+      spinner.start();
+    }
+    
+    // Upgrade critical packages
+    for (const action of toUpgrade) {
+      spinner.text = `Fixing ${action.package}@${action.version}...`;
+      
+      const cmd = `npm install ${action.package}@${action.version}`;
+      execSync(cmd, { stdio: 'pipe' });
+      
+      spinner.succeed(chalk.green(`✅ Fixed ${action.package}@${action.version}`));
+      spinner.start();
+    }
+    
+    // Update safe packages
+    if (toUpdate.length > 0) {
+      spinner.text = `Updating ${toUpdate.length} packages...`;
+      
+      for (const action of toUpdate) {
+        const cmd = `npm install ${action.package}@${action.version}`;
+        execSync(cmd, { stdio: 'pipe' });
+      }
+      
+      spinner.succeed(chalk.green(`✅ Updated ${toUpdate.length} packages`));
+    } else {
+      spinner.stop();
+    }
+    
+    console.log(chalk.green.bold('\n✨ All fixes applied successfully!\n'));
+    console.log(chalk.cyan('💡 Run') + chalk.bold(' devcompass analyze ') + chalk.cyan('to see the new health score.\n'));
+    
+  } catch (error) {
+    spinner.fail(chalk.red('Fix failed'));
+    console.log(chalk.red(`\n❌ Error: ${error.message}\n`));
+    console.log(chalk.yellow('💡 You may need to fix this manually.\n'));
+    process.exit(1);
+  }
+}
+
+function askConfirmation(question) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  
+  return new Promise(resolve => {
+    rl.question(chalk.cyan(question) + chalk.gray(' (y/N): '), answer => {
+      rl.close();
+      resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
+    });
+  });
+}
+
+module.exports = { fix };

package/src/config/loader.js

@@ -0,0 +1,29 @@
+const fs = require('fs');
+const path = require('path');
+
+function loadConfig(projectPath) {
+  const configPath = path.join(projectPath, 'devcompass.config.json');
+  
+  if (!fs.existsSync(configPath)) {
+    return getDefaultConfig();
+  }
+  
+  try {
+    const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+    return { ...getDefaultConfig(), ...config };
+  } catch (error) {
+    console.warn('Warning: Could not parse devcompass.config.json, using defaults');
+    return getDefaultConfig();
+  }
+}
+
+function getDefaultConfig() {
+  return {
+    ignore: [],
+    ignoreSeverity: [],
+    minScore: 0,
+    cache: true
+  };
+}
+
+module.exports = { loadConfig };