npm - devcompass - Versions diffs - 2.2.0 → 2.3.0 - Mend

devcompass 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +248 -179
package/package.json +6 -3
package/src/alerts/predictive.js +54 -0
package/src/analyzers/bundle-size.js +85 -0
package/src/analyzers/licenses.js +107 -0
package/src/analyzers/scoring.js +18 -4
package/src/analyzers/security.js +111 -0
package/src/commands/analyze.js +183 -17
package/src/utils/json-formatter.js +37 -3

package/README.md CHANGED Viewed

@@ -6,22 +6,24 @@
 [![npm downloads](https://img.shields.io/npm/dm/devcompass.svg)](https://www.npmjs.com/package/devcompass)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-Analyze your JavaScript projects to find unused dependencies, outdated packages, **detect known security issues**, and **automatically fix them** with a single command. Perfect for **CI/CD pipelines** with JSON output and exit codes.
+Analyze your JavaScript projects to find unused dependencies, outdated packages, **detect security vulnerabilities**, **check bundle sizes**, **verify licenses**, and **automatically fix issues** with a single command. Perfect for **CI/CD pipelines** with JSON output and exit codes.
+> **NEW in v2.3:** Security scanning, bundle analysis & license checker! 🔐
 > **NEW in v2.2:** CI/CD integration with JSON output & smart caching! 🚀
 > **NEW in v2.1:** Auto-fix command! 🔧 Fix critical issues automatically!
 > **NEW in v2.0:** Real-time ecosystem alerts for known issues! 🚨
 ## ✨ Features
-- 🚀 **CI/CD Integration** (NEW in v2.2!) - JSON output, exit codes, and silent mode
-- ⚡ **Smart Caching** (NEW in v2.2!) - 70% faster on repeated runs
-- 🎛️ **Advanced Filtering** (NEW in v2.2!) - Control alerts by severity level
+- 🔐 **Security Scanning** (NEW in v2.3!) - npm audit integration with severity breakdown
+- 📦 **Bundle Size Analysis** (NEW in v2.3!) - Identify heavy packages (> 1MB)
+- ⚖️ **License Checker** (NEW in v2.3!) - Detect restrictive licenses (GPL, AGPL)
+- 🚀 **CI/CD Integration** (v2.2) - JSON output, exit codes, and silent mode
+- ⚡ **Smart Caching** (v2.2) - 70% faster on repeated runs
+- 🎛️ **Advanced Filtering** (v2.2) - Control alerts by severity level
 - 🔧 **Auto-Fix Command** (v2.1) - Fix issues automatically with one command
 - 🚨 **Ecosystem Intelligence** (v2.0) - Detect known issues before they break production
 - 🔍 **Detect unused dependencies** - Find packages you're not actually using
-- 📦 **Check for outdated packages** - See what needs updating
-- 🔐 **Security alerts** - Critical vulnerabilities and deprecated packages
 - 📊 **Project health score** - Get a 0-10 rating for your dependencies
 - 🎨 **Beautiful terminal UI** - Colored output with severity indicators
 - 🔧 **Framework-aware** - Handles React, Next.js, Angular, NestJS, PostCSS, Tailwind
@@ -63,7 +65,155 @@ devcompass analyze --ci
 devcompass analyze --silent
 ```
-## 🚀 NEW in v2.2: CI/CD Integration
+## 🔐 NEW in v2.3: Security & Compliance Features
+### Security Vulnerability Scanning
+DevCompass now integrates with **npm audit** to detect security vulnerabilities automatically!
+**Example Output:**
+```
+🔐 SECURITY VULNERABILITIES (12)
+  🔴 CRITICAL: 2
+  🟠 HIGH: 4
+  🟡 MODERATE: 5
+  ⚪ LOW: 1
+  Run npm audit fix to fix vulnerabilities
+```
+**How it works:**
+1. Runs `npm audit` in the background
+2. Parses vulnerability data
+3. Shows severity breakdown
+4. Impacts health score (-2.5 per critical issue)
+5. Suggests fix commands
+**Health Score Impact:**
+- Critical: −2.5 points each
+- High: −1.5 points each
+- Moderate: −0.5 points each
+- Low: −0.2 points each
+### Bundle Size Analysis
+Identify large dependencies that bloat your `node_modules`!
+**Example Output:**
+```
+📦 HEAVY PACKAGES (3)
+  Packages larger than 1MB:
+  webpack                   2.3 MB
+  typescript                8.1 MB
+  @tensorflow/tfjs          12.4 MB
+```
+**Perfect for:**
+- Frontend developers optimizing bundle size
+- Identifying unnecessary large dependencies
+- Web performance optimization
+- Docker image size reduction
+### License Compliance Checker
+Detect restrictive licenses that may require legal review!
+**Example Output:**
+```
+⚖️ LICENSE WARNINGS (2)
+  sharp - Restrictive (LGPL-3.0)
+  custom-lib - Unknown (UNLICENSED)
+  Note: Restrictive licenses may require legal review
+```
+**What gets flagged:**
+- **Restrictive licenses:** GPL, AGPL, LGPL (may require source code disclosure)
+- **Unknown licenses:** Packages without license information
+- **Unlicensed packages:** Legal risk for commercial use
+**Supported licenses:**
+- ✅ **Safe:** MIT, Apache-2.0, BSD, ISC, CC0
+- ⚠️ **Restrictive:** GPL, AGPL, LGPL
+- ❓ **Unknown:** Missing or custom licenses
+### Combined Analysis Example (v2.3)
+**Full Output:**
+```
+🔍 DevCompass v2.3.0 - Analyzing your project...
+✔ Scanned 25 dependencies in project
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🔐 SECURITY VULNERABILITIES (5)
+  🔴 CRITICAL: 1
+  🟠 HIGH: 2
+  🟡 MODERATE: 2
+  Run npm audit fix to fix vulnerabilities
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🚨 ECOSYSTEM ALERTS (1)
+🟠 HIGH
+  axios@1.6.0
+    Issue: Memory leak in request interceptors
+    Fix: 1.6.2
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+📦 HEAVY PACKAGES (2)
+  Packages larger than 1MB:
+  typescript                8.1 MB
+  webpack                   2.3 MB
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+⚖️ LICENSE WARNINGS (1)
+  sharp - Restrictive (LGPL-3.0)
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+📊 PROJECT HEALTH
+  Overall Score:              6.2/10
+  Total Dependencies:         25
+  Security Vulnerabilities:   5
+  Ecosystem Alerts:           1
+  Unused:                     0
+  Outdated:                   3
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+💡 QUICK WINS
+  🔐 Fix security vulnerabilities:
+  npm audit fix
+  🔴 Fix critical issues:
+  npm install axios@1.6.2
+  Expected impact:
+  ✓ Resolve security vulnerabilities
+  ✓ Resolve critical stability issues
+  ✓ Improve health score → 8.7/10
+💡 TIP: Run 'devcompass fix' to apply these fixes automatically!
+```
+## 🚀 CI/CD Integration (v2.2)
 ### JSON Output
 Perfect for parsing in CI/CD pipelines:
@@ -71,26 +221,43 @@ Perfect for parsing in CI/CD pipelines:
 devcompass analyze --json
 ```
-**Output:**
+**Output (v2.3):**
 ```json
 {
-  "version": "2.2.0",
-  "timestamp": "2026-04-01T15:51:10.395Z",
+  "version": "2.3.0",
+  "timestamp": "2026-04-02T10:30:00.000Z",
   "summary": {
-    "healthScore": 7.5,
-    "totalDependencies": 15,
-    "ecosystemAlerts": 2,
-    "unusedDependencies": 3,
-    "outdatedPackages": 5
+    "healthScore": 6.2,
+    "totalDependencies": 25,
+    "securityVulnerabilities": 5,
+    "ecosystemAlerts": 1,
+    "unusedDependencies": 0,
+    "outdatedPackages": 3,
+    "heavyPackages": 2,
+    "licenseWarnings": 1
+  },
+  "security": {
+    "total": 5,
+    "critical": 1,
+    "high": 2,
+    "moderate": 2,
+    "low": 0,
+    "vulnerabilities": [...]
+  },
+  "bundleAnalysis": {
+    "heavyPackages": [
+      { "name": "typescript", "size": "8.1 MB" },
+      { "name": "webpack", "size": "2.3 MB" }
+    ]
+  },
+  "licenses": {
+    "warnings": [
+      { "package": "sharp", "license": "LGPL-3.0", "type": "restrictive" }
+    ]
   },
   "ecosystemAlerts": [...],
   "unusedDependencies": [...],
-  "outdatedPackages": [...],
-  "scoreBreakdown": {
-    "unusedPenalty": 0.8,
-    "outdatedPenalty": 1.7,
-    "alertsPenalty": 3.5
-  }
+  "outdatedPackages": [...]
 }
 ```
@@ -115,8 +282,8 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
-      - run: npm install -g devcompass
-      - run: devcompass analyze --ci
+      - run: npm install
+      - run: npx devcompass analyze --ci
 ```
 ### Silent Mode
@@ -126,15 +293,23 @@ devcompass analyze --silent
 echo $?  # Check exit code
 ```
-## ⚡ NEW in v2.2: Smart Caching
+## ⚡ Smart Caching (v2.2)
-DevCompass now caches results to improve performance:
+DevCompass caches results to improve performance:
 - **First run:** Normal speed (fetches all data)
 - **Cached runs:** ~70% faster
 - **Cache duration:** 1 hour
 - **Cache file:** `.devcompass-cache.json` (auto-gitignored)
+**What gets cached:**
+- Security vulnerabilities
+- Ecosystem alerts
+- Unused dependencies
+- Outdated packages
+- Bundle sizes
+- License information
 **Disable caching:**
 ```json
 // devcompass.config.json
@@ -143,7 +318,7 @@ DevCompass now caches results to improve performance:
 }
 ```
-## 🎛️ NEW in v2.2: Advanced Configuration
+## 🎛️ Advanced Configuration (v2.2)
 Create `devcompass.config.json` in your project root:
 ```json
@@ -174,32 +349,33 @@ Create `devcompass.config.json` in your project root:
 ### Example Configurations
-**Only show critical security issues:**
+**Security-focused (strict):**
 ```json
 {
   "minSeverity": "critical",
-  "minScore": 8
+  "minScore": 9
 }
 ```
-**Ignore low-priority alerts:**
+**Balanced (recommended):**
 ```json
 {
-  "ignoreSeverity": ["low"]
+  "ignoreSeverity": ["low"],
+  "minScore": 7
 }
 ```
-**Strict CI mode:**
+**Relaxed (development):**
 ```json
 {
-  "minScore": 9,
-  "minSeverity": "high"
+  "ignoreSeverity": ["low", "medium"],
+  "minScore": 5
 }
 ```
-## 🔧 Auto-Fix Command
+## 🔧 Auto-Fix Command (v2.1)
-DevCompass can now **automatically fix issues** in your project!
+DevCompass can **automatically fix issues** in your project!
 ### What it does:
 - 🔴 **Fixes critical security issues** - Upgrades packages with known vulnerabilities
@@ -220,67 +396,6 @@ devcompass fix -y
 devcompass fix --path /path/to/project
 ```
-### Example Output
-```
-🔧 DevCompass Fix - Analyzing and fixing your project...
-🔴 CRITICAL ISSUES TO FIX:
-🔴 lodash@4.17.19
-   Issue: Prototype pollution vulnerability
-   Fix: Upgrade to 4.17.21
-🟠 axios@1.6.0
-   Issue: Memory leak in request interceptors
-   Fix: Upgrade to 1.6.2
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-🧹 UNUSED DEPENDENCIES TO REMOVE:
-  ● moment
-  ● express
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-⬆️  SAFE UPDATES (patch/minor):
-  react-dom: 18.2.0 → 18.2.1 (patch update)
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-⚠️  MAJOR UPDATES (skipped - may have breaking changes):
-  express: 4.18.0 → 5.2.1
-  Run these manually after reviewing changelog:
-  npm install express@5.2.1
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-📊 FIX SUMMARY:
-  Critical fixes:  2
-  Remove unused:   2
-  Safe updates:    1
-  Skipped major:   1
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-❓ Apply these fixes? (y/N): y
-🔧 Applying fixes...
-✔ ✅ Removed 2 unused packages
-✔ ✅ Fixed lodash@4.17.21
-✔ ✅ Fixed axios@1.6.2
-✔ ✅ Updated 1 packages
-✨ All fixes applied successfully!
-💡 Run devcompass analyze to see the new health score.
-```
 ### Safety Features
 - ✅ Shows what will be changed before applying
 - ✅ Requires confirmation (unless `--yes` flag used)
@@ -300,74 +415,7 @@ devcompass fix
 devcompass analyze
 ```
-## 📊 Analyze Command
-### Example Output (v2.2)
-```
-🔍 DevCompass v2.2.0 - Analyzing your project...
-✔ Scanned 15 dependencies in project
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-🚨 ECOSYSTEM ALERTS (2)
-🔴 CRITICAL
-  lodash@4.17.19
-    Issue: Prototype pollution vulnerability
-    Affected: <4.17.21
-    Fix: 4.17.21
-    Source: npm advisory 1523
-🟠 HIGH
-  axios@1.6.0
-    Issue: Memory leak in request interceptors
-    Affected: >=1.5.0 <1.6.2
-    Fix: 1.6.2
-    Source: GitHub Issue #5456
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-🔴 UNUSED DEPENDENCIES (2)
-  ● moment
-  ● request
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-🟡 OUTDATED PACKAGES (3)
-  react          18.2.0 → ^19.0.0  (major update)
-  express        4.18.0 → ^4.19.0  (patch update)
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-📊 PROJECT HEALTH
-  Overall Score:       5.5/10
-  Total Dependencies:  15
-  Ecosystem Alerts:    2
-  Unused:              2
-  Outdated:            3
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-💡 QUICK WINS
-  🔴 Fix critical issues:
-  npm install lodash@4.17.21
-  npm install axios@1.6.2
-  🧹 Clean up unused dependencies:
-  npm uninstall moment request
-  Expected impact:
-  ✓ Resolve critical security/stability issues
-  ✓ Remove 2 unused packages
-  ✓ Reduce node_modules size
-  ✓ Improve health score → 8.5/10
-💡 TIP: Run 'devcompass fix' to apply these fixes automatically!
-```
-## 🚨 Ecosystem Intelligence
+## 🚨 Ecosystem Intelligence (v2.0)
 DevCompass tracks **real-world issues** in popular packages and warns you before they break production!
@@ -420,11 +468,12 @@ DevCompass won't flag these as unused (they're typically used in config files):
 - Shows current vs latest versions
 - Indicates update type (major/minor/patch)
-### Health Score (Enhanced in v2.0)
+### Health Score (Enhanced in v2.3)
 Calculated from 0-10 based on:
 - Percentage of unused dependencies (−4 points per 100%)
 - Percentage of outdated packages (−3 points per 100%)
 - Ecosystem alerts by severity (−0.2 to −2.0 per issue)
+- Security vulnerabilities by severity (−0.2 to −2.5 per issue)
 - Higher score = healthier project
 ## ⚙️ Commands & Options
@@ -511,6 +560,21 @@ if [ $? -ne 0 ]; then
 fi
 ```
+### Security-Focused Workflow
+```bash
+# 1. Run security scan
+devcompass analyze
+# 2. Check for critical vulnerabilities
+devcompass analyze --json | jq '.security.critical'
+# 3. Auto-fix if possible
+npm audit fix
+# 4. Verify fixes
+devcompass analyze
+```
 ## ⚠️ Known Issues & Best Practices
 ### Installation
@@ -543,12 +607,14 @@ If you encounter a false positive, please [report it](https://github.com/AjayBTh
 1. **Run regularly** - Add to your CI/CD pipeline or git hooks
 2. **Use fix command** - Let DevCompass handle routine maintenance
-3. **Configure severity levels** - Filter out noise with `minSeverity`
-4. **Enable CI mode** - Catch issues before they reach production
-5. **Use JSON output** - Integrate with your monitoring tools
-6. **Fix critical alerts first** - Prioritize security and stability
-7. **Review major updates** - Always check changelogs before major version bumps
-8. **Verify before uninstalling** - DevCompass helps identify candidates, but always verify
+3. **Check security first** - Prioritize fixing critical vulnerabilities
+4. **Monitor bundle size** - Keep an eye on heavy packages
+5. **Review licenses** - Ensure compliance with your legal requirements
+6. **Configure severity levels** - Filter out noise with `minSeverity`
+7. **Enable CI mode** - Catch issues before they reach production
+8. **Use JSON output** - Integrate with your monitoring tools
+9. **Review major updates** - Always check changelogs before major version bumps
+10. **Verify before uninstalling** - DevCompass helps identify candidates, but always verify
 ## 🤝 Contributing
@@ -632,18 +698,21 @@ Check out DevCompass stats:
 ## 🌟 What's Next?
-### Roadmap (v2.3+)
+### Roadmap (v2.4+)
 - [x] ~~Automatic fix command~~ ✅ **Added in v2.1!**
 - [x] ~~CI/CD integration with JSON output~~ ✅ **Added in v2.2!**
 - [x] ~~Smart caching system~~ ✅ **Added in v2.2!**
 - [x] ~~Custom ignore rules via config file~~ ✅ **Added in v2.2!**
-- [ ] Integration with `npm audit` for automated security scanning
-- [ ] GitHub Issues API for real-time issue tracking
-- [ ] Web dashboard for team health monitoring
-- [ ] More tracked packages (React, Next.js, Vue, Angular)
-- [ ] Bundle size analysis
-- [ ] Automated security patch suggestions
-- [ ] Team collaboration features
+- [x] ~~npm audit integration~~ ✅ **Added in v2.3!**
+- [x] ~~Bundle size analysis~~ ✅ **Added in v2.3!**
+- [x] ~~License compliance checker~~ ✅ **Added in v2.3!**
+- [ ] GitHub Issues API for real-time issue tracking (v2.4.0)
+- [ ] Automated security patch suggestions (v2.4.0)
+- [ ] Dependency graph visualization (v2.5.0)
+- [ ] Web dashboard for team health monitoring (v2.5.0)
+- [ ] More tracked packages (React, Next.js, Vue, Angular) (v2.5.0)
+- [ ] Team collaboration features (v2.6.0)
+- [ ] Slack/Discord notifications (v2.6.0)
 Want to contribute? Pick an item and open an issue! 🚀

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "devcompass",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "Dependency health checker with ecosystem intelligence for JavaScript/TypeScript projects",
   "main": "src/index.js",
   "bin": {
@@ -33,7 +33,10 @@
     "ci-cd",
     "automation",
     "caching",
-    "json-output"
+    "json-output",
+    "npm-audit",
+    "bundle-size",
+    "license-checker"
   ],
   "author": "Ajay Thorat <ajaythorat988@gmail.com>",
   "license": "MIT",
@@ -56,4 +59,4 @@
     "url": "https://github.com/AjayBThorat-20/devcompass/issues"
   },
   "homepage": "https://github.com/AjayBThorat-20/devcompass#readme"
-}
+}

package/src/alerts/predictive.js ADDED Viewed

@@ -0,0 +1,54 @@
+// src/alerts/predictive.js
+/**
+ * Analyze package health trends
+ * NOTE: This is a simplified version without GitHub API
+ * For production, integrate with GitHub Issues API
+ */
+async function analyzeTrends(packageName) {
+  // Placeholder for future GitHub API integration
+  // For now, return basic analysis
+  return {
+    package: packageName,
+    recentIssues: 0,
+    trend: 'stable',
+    recommendation: null
+  };
+}
+/**
+ * Calculate risk score based on trends
+ */
+function calculateRiskScore(trends) {
+  let risk = 0;
+  // High issue activity = higher risk
+  if (trends.recentIssues > 20) {
+    risk += 3;
+  } else if (trends.recentIssues > 10) {
+    risk += 2;
+  } else if (trends.recentIssues > 5) {
+    risk += 1;
+  }
+  return risk;
+}
+/**
+ * Generate predictive warnings
+ */
+function generatePredictiveWarnings(packages) {
+  const warnings = [];
+  // This is a placeholder
+  // In production, this would analyze GitHub activity
+  return warnings;
+}
+module.exports = {
+  analyzeTrends,
+  calculateRiskScore,
+  generatePredictiveWarnings
+};

package/src/analyzers/bundle-size.js ADDED Viewed

@@ -0,0 +1,85 @@
+// src/analyzers/bundle-size.js
+const path = require('path');
+const fs = require('fs');
+/**
+ * Get package sizes from node_modules
+ */
+async function analyzeBundleSizes(projectPath, dependencies) {
+  const sizes = [];
+  for (const packageName of Object.keys(dependencies)) {
+    try {
+      const packagePath = path.join(projectPath, 'node_modules', packageName);
+      if (!fs.existsSync(packagePath)) {
+        continue;
+      }
+      const size = await getDirectorySize(packagePath);
+      const sizeInKB = Math.round(size / 1024);
+      sizes.push({
+        name: packageName,
+        size: sizeInKB,
+        sizeFormatted: formatSize(sizeInKB)
+      });
+    } catch (error) {
+      // Skip packages we can't measure
+      continue;
+    }
+  }
+  // Sort by size (largest first)
+  sizes.sort((a, b) => b.size - a.size);
+  return sizes;
+}
+/**
+ * Get total size of directory recursively
+ */
+function getDirectorySize(dirPath) {
+  let totalSize = 0;
+  const items = fs.readdirSync(dirPath);
+  for (const item of items) {
+    const itemPath = path.join(dirPath, item);
+    const stats = fs.statSync(itemPath);
+    if (stats.isFile()) {
+      totalSize += stats.size;
+    } else if (stats.isDirectory()) {
+      totalSize += getDirectorySize(itemPath);
+    }
+  }
+  return totalSize;
+}
+/**
+ * Format size in human-readable format
+ */
+function formatSize(kb) {
+  if (kb < 1024) {
+    return `${kb} KB`;
+  } else {
+    const mb = (kb / 1024).toFixed(1);
+    return `${mb} MB`;
+  }
+}
+/**
+ * Identify heavy packages (> 1MB)
+ */
+function findHeavyPackages(sizes) {
+  return sizes.filter(pkg => pkg.size > 1024); // > 1MB
+}
+module.exports = {
+  analyzeBundleSizes,
+  findHeavyPackages,
+  formatSize
+};

package/src/analyzers/licenses.js ADDED Viewed

@@ -0,0 +1,107 @@
+// src/analyzers/licenses.js
+const path = require('path');
+const fs = require('fs');
+// Restrictive licenses that might cause issues
+const RESTRICTIVE_LICENSES = [
+  'GPL',
+  'GPL-2.0',
+  'GPL-3.0',
+  'AGPL',
+  'AGPL-3.0',
+  'LGPL',
+  'LGPL-2.1',
+  'LGPL-3.0'
+];
+// Permissive licenses (usually safe)
+const PERMISSIVE_LICENSES = [
+  'MIT',
+  'Apache-2.0',
+  'BSD-2-Clause',
+  'BSD-3-Clause',
+  'ISC',
+  'CC0-1.0',
+  'Unlicense'
+];
+/**
+ * Check licenses of all dependencies
+ */
+async function checkLicenses(projectPath, dependencies) {
+  const licenses = [];
+  for (const [packageName, version] of Object.entries(dependencies)) {
+    try {
+      const packageJsonPath = path.join(
+        projectPath,
+        'node_modules',
+        packageName,
+        'package.json'
+      );
+      if (!fs.existsSync(packageJsonPath)) {
+        continue;
+      }
+      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+      const license = packageJson.license || 'UNKNOWN';
+      licenses.push({
+        package: packageName,
+        license: license,
+        type: getLicenseType(license)
+      });
+    } catch (error) {
+      // Skip packages we can't read
+      continue;
+    }
+  }
+  return licenses;
+}
+/**
+ * Determine license type
+ */
+function getLicenseType(license) {
+  const licenseStr = String(license).toUpperCase();
+  // Check for restrictive licenses
+  for (const restrictive of RESTRICTIVE_LICENSES) {
+    if (licenseStr.includes(restrictive)) {
+      return 'restrictive';
+    }
+  }
+  // Check for permissive licenses
+  for (const permissive of PERMISSIVE_LICENSES) {
+    if (licenseStr.includes(permissive)) {
+      return 'permissive';
+    }
+  }
+  // Unknown or custom license
+  if (licenseStr === 'UNKNOWN' || licenseStr === 'UNLICENSED') {
+    return 'unknown';
+  }
+  return 'other';
+}
+/**
+ * Find problematic licenses
+ */
+function findProblematicLicenses(licenses) {
+  return licenses.filter(pkg =>
+    pkg.type === 'restrictive' || pkg.type === 'unknown'
+  );
+}
+module.exports = {
+  checkLicenses,
+  findProblematicLicenses,
+  RESTRICTIVE_LICENSES,
+  PERMISSIVE_LICENSES
+};

package/src/analyzers/scoring.js CHANGED Viewed

@@ -1,5 +1,12 @@
 // src/analyzers/scoring.js
-function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0, alertPenalty = 0) {
+function calculateScore(
+  totalDeps,
+  unusedCount,
+  outdatedCount,
+  alertsCount = 0,
+  alertPenalty = 0,
+  securityPenalty = 0  // NEW
+) {
   let score = 10;
   if (totalDeps === 0) {
@@ -9,9 +16,11 @@ function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0,
         unused: 0,
         outdated: 0,
         alerts: 0,
+        security: 0,
         unusedPenalty: 0,
         outdatedPenalty: 0,
-        alertsPenalty: 0
+        alertsPenalty: 0,
+        securityPenalty: 0
       }
     };
   }
@@ -26,9 +35,12 @@ function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0,
   const outdatedPenalty = outdatedRatio * 3;
   score -= outdatedPenalty;
-  // Ecosystem alerts penalty (from formatter.calculateAlertPenalty)
+  // Ecosystem alerts penalty
   score -= alertPenalty;
+  // Security vulnerabilities penalty (NEW)
+  score -= securityPenalty;
   // Ensure score is between 0 and 10
   score = Math.max(0, Math.min(10, score));
@@ -38,9 +50,11 @@ function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0,
       unused: unusedCount,
       outdated: outdatedCount,
       alerts: alertsCount,
+      security: securityPenalty > 0 ? 1 : 0, // Binary indicator
       unusedPenalty: parseFloat(unusedPenalty.toFixed(1)),
       outdatedPenalty: parseFloat(outdatedPenalty.toFixed(1)),
-      alertsPenalty: parseFloat(alertPenalty.toFixed(1))
+      alertsPenalty: parseFloat(alertPenalty.toFixed(1)),
+      securityPenalty: parseFloat(securityPenalty.toFixed(1))
     }
   };
 }

package/src/analyzers/security.js ADDED Viewed

@@ -0,0 +1,111 @@
+// src/analyzers/security.js
+const { execSync } = require('child_process');
+/**
+ * Run npm audit and parse results
+ */
+async function checkSecurity(projectPath) {
+  try {
+    // Run npm audit in JSON mode
+    const auditOutput = execSync('npm audit --json', {
+      cwd: projectPath,
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+    const auditData = JSON.parse(auditOutput);
+    // Extract vulnerabilities
+    const vulnerabilities = [];
+    if (auditData.vulnerabilities) {
+      Object.entries(auditData.vulnerabilities).forEach(([packageName, vuln]) => {
+        vulnerabilities.push({
+          package: packageName,
+          severity: vuln.severity, // critical, high, moderate, low
+          title: vuln.via[0]?.title || 'Security vulnerability',
+          range: vuln.range,
+          fixAvailable: vuln.fixAvailable,
+          cve: vuln.via[0]?.cve || null,
+          url: vuln.via[0]?.url || null
+        });
+      });
+    }
+    return {
+      vulnerabilities,
+      metadata: {
+        total: auditData.metadata?.vulnerabilities?.total || 0,
+        critical: auditData.metadata?.vulnerabilities?.critical || 0,
+        high: auditData.metadata?.vulnerabilities?.high || 0,
+        moderate: auditData.metadata?.vulnerabilities?.moderate || 0,
+        low: auditData.metadata?.vulnerabilities?.low || 0
+      }
+    };
+  } catch (error) {
+    // npm audit returns non-zero exit code when vulnerabilities found
+    // Try to parse the error output
+    try {
+      const auditData = JSON.parse(error.stdout);
+      const vulnerabilities = [];
+      if (auditData.vulnerabilities) {
+        Object.entries(auditData.vulnerabilities).forEach(([packageName, vuln]) => {
+          vulnerabilities.push({
+            package: packageName,
+            severity: vuln.severity,
+            title: vuln.via[0]?.title || 'Security vulnerability',
+            range: vuln.range,
+            fixAvailable: vuln.fixAvailable,
+            cve: vuln.via[0]?.cve || null,
+            url: vuln.via[0]?.url || null
+          });
+        });
+      }
+      return {
+        vulnerabilities,
+        metadata: {
+          total: auditData.metadata?.vulnerabilities?.total || 0,
+          critical: auditData.metadata?.vulnerabilities?.critical || 0,
+          high: auditData.metadata?.vulnerabilities?.high || 0,
+          moderate: auditData.metadata?.vulnerabilities?.moderate || 0,
+          low: auditData.metadata?.vulnerabilities?.low || 0
+        }
+      };
+    } catch (parseError) {
+      // If we can't parse, return empty
+      return {
+        vulnerabilities: [],
+        metadata: {
+          total: 0,
+          critical: 0,
+          high: 0,
+          moderate: 0,
+          low: 0
+        }
+      };
+    }
+  }
+}
+/**
+ * Calculate security penalty for health score
+ */
+function calculateSecurityPenalty(metadata) {
+  let penalty = 0;
+  penalty += metadata.critical * 2.5;  // Critical: -2.5 points each
+  penalty += metadata.high * 1.5;      // High: -1.5 points each
+  penalty += metadata.moderate * 0.5;   // Moderate: -0.5 points each
+  penalty += metadata.low * 0.2;        // Low: -0.2 points each
+  return Math.min(penalty, 5.0); // Cap at 5 points
+}
+module.exports = {
+  checkSecurity,
+  calculateSecurityPenalty
+};

package/src/commands/analyze.js CHANGED Viewed

@@ -8,6 +8,9 @@ const { findUnusedDeps } = require('../analyzers/unused-deps');
 const { findOutdatedDeps } = require('../analyzers/outdated');
 const { calculateScore } = require('../analyzers/scoring');
 const { checkEcosystemAlerts } = require('../alerts');
+const { checkSecurity, calculateSecurityPenalty } = require('../analyzers/security');
+const { analyzeBundleSizes, findHeavyPackages } = require('../analyzers/bundle-size');
+const { checkLicenses, findProblematicLicenses } = require('../analyzers/licenses');
 const {
   formatAlerts,
   getSeverityDisplay,
@@ -34,15 +37,25 @@ async function analyze(options) {
   // Handle output modes
   const outputMode = options.json ? 'json' : (options.ci ? 'ci' : (options.silent ? 'silent' : 'normal'));
-  if (outputMode !== 'silent') {
+  // Only show header for normal and CI modes
+  if (outputMode !== 'silent' && outputMode !== 'json') {
     console.log('\n');
     log(chalk.cyan.bold(`🔍 DevCompass v${packageJson.version}`) + ' - Analyzing your project...\n');
   }
-  const spinner = ora({
-    text: 'Loading project...',
-    color: 'cyan'
-  }).start();
+  // Create spinner (disabled for json/silent modes to prevent EPIPE errors)
+  const spinner = (outputMode === 'json' || outputMode === 'silent')
+    ? {
+        start: function() { return this; },
+        succeed: function() {},
+        fail: function(msg) { if (msg) console.error(msg); },
+        text: '',
+        set text(val) {}
+      }
+    : ora({
+        text: 'Loading project...',
+        color: 'cyan'
+      }).start();
   try {
     const packageJsonPath = path.join(projectPath, 'package.json');
@@ -148,28 +161,95 @@ async function analyze(options) {
       }
     }
+    // Check security vulnerabilities (NEW)
+    spinner.text = 'Checking security vulnerabilities...';
+    let securityData = { vulnerabilities: [], metadata: { total: 0, critical: 0, high: 0, moderate: 0, low: 0 } };
+    if (config.cache) {
+      const cached = getCached(projectPath, 'security');
+      if (cached) securityData = cached;
+    }
+    if (securityData.metadata.total === 0) {
+      try {
+        securityData = await checkSecurity(projectPath);
+        if (config.cache) {
+          setCache(projectPath, 'security', securityData);
+        }
+      } catch (error) {
+        if (outputMode !== 'silent') {
+          console.log(chalk.yellow('\n⚠️  Could not check security vulnerabilities'));
+          console.log(chalk.gray(`   Error: ${error.message}\n`));
+        }
+      }
+    }
+    // Analyze bundle sizes (NEW)
+    spinner.text = 'Analyzing bundle sizes...';
+    let bundleSizes = [];
+    if (config.cache) {
+      const cached = getCached(projectPath, 'bundleSizes');
+      if (cached) bundleSizes = cached;
+    }
+    if (bundleSizes.length === 0) {
+      try {
+        bundleSizes = await analyzeBundleSizes(projectPath, dependencies);
+        if (config.cache && bundleSizes.length > 0) {
+          setCache(projectPath, 'bundleSizes', bundleSizes);
+        }
+      } catch (error) {
+        // Bundle size analysis is optional
+      }
+    }
+    // Check licenses (NEW)
+    spinner.text = 'Checking licenses...';
+    let licenses = [];
+    if (config.cache) {
+      const cached = getCached(projectPath, 'licenses');
+      if (cached) licenses = cached;
+    }
+    if (licenses.length === 0) {
+      try {
+        licenses = await checkLicenses(projectPath, dependencies);
+        if (config.cache && licenses.length > 0) {
+          setCache(projectPath, 'licenses', licenses);
+        }
+      } catch (error) {
+        // License checking is optional
+      }
+    }
+    // Calculate score (UPDATED)
     const alertPenalty = calculateAlertPenalty(alerts);
+    const securityPenalty = calculateSecurityPenalty(securityData.metadata);
     const score = calculateScore(
       totalDeps,
       unusedDeps.length,
       outdatedDeps.length,
       alerts.length,
-      alertPenalty
+      alertPenalty,
+      securityPenalty
     );
     spinner.succeed(chalk.green(`Scanned ${totalDeps} dependencies in project`));
     // Handle different output modes
     if (outputMode === 'json') {
-      const jsonOutput = formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+      const jsonOutput = formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses);
       console.log(jsonOutput);
     } else if (outputMode === 'ci') {
-      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses);
       handleCiMode(score, config, alerts, unusedDeps);
     } else if (outputMode === 'silent') {
       // Silent mode - no output
     } else {
-      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses);
     }
   } catch (error) {
@@ -182,10 +262,40 @@ async function analyze(options) {
   }
 }
-function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
+function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses) {
   logDivider();
-  // ECOSYSTEM ALERTS (NEW SECTION)
+  // SECURITY VULNERABILITIES (NEW SECTION)
+  if (securityData.metadata.total > 0) {
+    const criticalCount = securityData.metadata.critical;
+    const highCount = securityData.metadata.high;
+    const moderateCount = securityData.metadata.moderate;
+    const lowCount = securityData.metadata.low;
+    logSection('🔐 SECURITY VULNERABILITIES', securityData.metadata.total);
+    if (criticalCount > 0) {
+      log(chalk.red.bold(`\n  🔴 CRITICAL: ${criticalCount}`));
+    }
+    if (highCount > 0) {
+      log(chalk.red(`  🟠 HIGH: ${highCount}`));
+    }
+    if (moderateCount > 0) {
+      log(chalk.yellow(`  🟡 MODERATE: ${moderateCount}`));
+    }
+    if (lowCount > 0) {
+      log(chalk.gray(`  ⚪ LOW: ${lowCount}`));
+    }
+    log(chalk.cyan('\n  Run') + chalk.bold(' npm audit fix ') + chalk.cyan('to fix vulnerabilities\n'));
+  } else {
+    logSection('✅ SECURITY VULNERABILITIES');
+    log(chalk.green('  No vulnerabilities detected!\n'));
+  }
+  logDivider();
+  // ECOSYSTEM ALERTS
   if (alerts.length > 0) {
     logSection('🚨 ECOSYSTEM ALERTS', alerts.length);
@@ -266,6 +376,46 @@ function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
   logDivider();
+  // BUNDLE SIZE (NEW SECTION)
+  const heavyPackages = findHeavyPackages(bundleSizes);
+  if (heavyPackages.length > 0) {
+    logSection('📦 HEAVY PACKAGES', heavyPackages.length);
+    log(chalk.gray('  Packages larger than 1MB:\n'));
+    heavyPackages.slice(0, 10).forEach(pkg => {
+      const nameCol = pkg.name.padEnd(25);
+      const size = pkg.size > 5120
+        ? chalk.red(pkg.sizeFormatted)
+        : chalk.yellow(pkg.sizeFormatted);
+      log(`  ${nameCol} ${size}`);
+    });
+    log('');
+    logDivider();
+  }
+  // LICENSE WARNINGS (NEW SECTION - ALWAYS SHOW)
+  const problematicLicenses = findProblematicLicenses(licenses);
+  if (problematicLicenses.length > 0) {
+    logSection('⚖️  LICENSE WARNINGS', problematicLicenses.length);
+    problematicLicenses.forEach(pkg => {
+      const type = pkg.type === 'restrictive'
+        ? chalk.red('Restrictive')
+        : chalk.yellow('Unknown');
+      log(`  ${chalk.bold(pkg.package)} - ${type} (${pkg.license})`);
+    });
+    log(chalk.gray('\n  Note: Restrictive licenses may require legal review\n'));
+  } else {
+    logSection('✅ LICENSE COMPLIANCE');
+    log(chalk.green('  All licenses are permissive!\n'));
+  }
+  logDivider();
   // PROJECT HEALTH
   logSection('📊 PROJECT HEALTH');
@@ -273,6 +423,10 @@ function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
   log(`  Overall Score:              ${scoreColor(score.total + '/10')}`);
   log(`  Total Dependencies:         ${chalk.cyan(totalDeps)}`);
+  if (securityData.metadata.total > 0) {
+    log(`  Security Vulnerabilities:   ${chalk.red(securityData.metadata.total)}`);
+  }
   if (alerts.length > 0) {
     log(`  Ecosystem Alerts:           ${chalk.red(alerts.length)}`);
   }
@@ -283,16 +437,23 @@ function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
   logDivider();
   // QUICK WINS
-  displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+  displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData);
 }
-function displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
+function displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData) {
   const hasCriticalAlerts = alerts.some(a => a.severity === 'critical' || a.severity === 'high');
+  const hasCriticalSecurity = securityData.metadata.critical > 0 || securityData.metadata.high > 0;
-  if (hasCriticalAlerts || unusedDeps.length > 0) {
+  if (hasCriticalSecurity || hasCriticalAlerts || unusedDeps.length > 0) {
     logSection('💡 QUICK WINS');
-    // Fix critical alerts first
+    // Fix security vulnerabilities first
+    if (hasCriticalSecurity) {
+      log('  🔐 Fix security vulnerabilities:\n');
+      log(chalk.cyan(`  npm audit fix\n`));
+    }
+    // Fix critical alerts
     if (hasCriticalAlerts) {
       const criticalAlerts = alerts.filter(a => a.severity === 'critical' || a.severity === 'high');
@@ -325,13 +486,18 @@ function displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
       0,
       outdatedDeps.length,
       alerts.length - alerts.filter(a => a.severity === 'critical' || a.severity === 'high').length,
-      alertPenalty
+      alertPenalty,
+      0 // Assume security issues fixed
     );
     log('  Expected impact:');
+    if (hasCriticalSecurity) {
+      log(`  ${chalk.green('✓')} Resolve security vulnerabilities`);
+    }
     if (hasCriticalAlerts) {
-      log(`  ${chalk.green('✓')} Resolve critical security/stability issues`);
+      log(`  ${chalk.green('✓')} Resolve critical stability issues`);
     }
     if (unusedDeps.length > 0) {

package/src/utils/json-formatter.js CHANGED Viewed

@@ -3,16 +3,36 @@
 /**
  * Format analysis results as JSON
  */
-function formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
+function formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses) {
+  const problematicLicenses = licenses.filter(l => l.type === 'restrictive' || l.type === 'unknown');
+  const heavyPackages = bundleSizes.filter(p => p.size > 1024);
   return JSON.stringify({
     version: require('../../package.json').version,
     timestamp: new Date().toISOString(),
     summary: {
       healthScore: score.total,
       totalDependencies: totalDeps,
+      securityVulnerabilities: securityData.metadata.total,
       ecosystemAlerts: alerts.length,
       unusedDependencies: unusedDeps.length,
-      outdatedPackages: outdatedDeps.length
+      outdatedPackages: outdatedDeps.length,
+      heavyPackages: heavyPackages.length,
+      licenseWarnings: problematicLicenses.length
+    },
+    security: {
+      total: securityData.metadata.total,
+      critical: securityData.metadata.critical,
+      high: securityData.metadata.high,
+      moderate: securityData.metadata.moderate,
+      low: securityData.metadata.low,
+      vulnerabilities: securityData.vulnerabilities.map(v => ({
+        package: v.package,
+        severity: v.severity,
+        title: v.title,
+        cve: v.cve,
+        fixAvailable: v.fixAvailable
+      }))
     },
     ecosystemAlerts: alerts.map(alert => ({
       package: alert.package,
@@ -33,10 +53,24 @@ function formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
       latest: dep.latest,
       updateType: dep.versionsBehind
     })),
+    bundleAnalysis: {
+      heavyPackages: heavyPackages.map(pkg => ({
+        name: pkg.name,
+        size: pkg.sizeFormatted
+      }))
+    },
+    licenses: {
+      warnings: problematicLicenses.map(pkg => ({
+        package: pkg.package,
+        license: pkg.license,
+        type: pkg.type
+      }))
+    },
     scoreBreakdown: {
       unusedPenalty: score.breakdown.unusedPenalty,
       outdatedPenalty: score.breakdown.outdatedPenalty,
-      alertsPenalty: score.breakdown.alertsPenalty
+      alertsPenalty: score.breakdown.alertsPenalty,
+      securityPenalty: score.breakdown.securityPenalty
     }
   }, null, 2);
 }