devcompass 2.2.0 → 2.3.1

package/README.md

@@ -1,3 +1,5 @@
+cd ~/devCampuss
+cat > README.md << 'EOF'
 # 🧭 DevCompass
 
 **Dependency health checker with ecosystem intelligence for JavaScript/TypeScript projects**
@@ -6,22 +8,37 @@
 [![npm downloads](https://img.shields.io/npm/dm/devcompass.svg)](https://www.npmjs.com/package/devcompass)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-Analyze your JavaScript projects to find unused dependencies, outdated packages, **detect known security issues**, and **automatically fix them** with a single command. Perfect for **CI/CD pipelines** with JSON output and exit codes.
+Analyze your JavaScript projects to find unused dependencies, outdated packages, **detect security vulnerabilities**, **check bundle sizes**, **verify licenses**, and **automatically fix issues** with a single command. Perfect for **CI/CD pipelines** with JSON output and exit codes.
 
+> **NEW in v2.3.1:** Fixed all security vulnerabilities! Health score: 2.5/10 → 8/10 🔒  
+> **NEW in v2.3:** Security scanning, bundle analysis & license checker! 🔐  
 > **NEW in v2.2:** CI/CD integration with JSON output & smart caching! 🚀  
 > **NEW in v2.1:** Auto-fix command! 🔧 Fix critical issues automatically!  
 > **NEW in v2.0:** Real-time ecosystem alerts for known issues! 🚨
 
+## 🎉 Latest Update: v2.3.1
+
+**We practice what we preach!** After releasing v2.3.0 with security scanning, we ran DevCompass on itself and found 14 vulnerabilities. We fixed them all:
+
+- ✅ **Health score improved:** 2.5/10 → 8/10
+- ✅ **Security vulnerabilities:** 14 → 0
+- ✅ **Bundle size reduced:** 9.1 MB → 6.2 MB (32% smaller)
+- ✅ **Dependencies upgraded:** npm-check-updates v16 → v20
+- ✅ **Removed 315 vulnerable packages**
+
+This is what "eating your own dog food" looks like. DevCompass helps you catch and fix security issues before they reach production.
+
 ## ✨ Features
 
-- 🚀 **CI/CD Integration** (NEW in v2.2!) - JSON output, exit codes, and silent mode
-- ⚡ **Smart Caching** (NEW in v2.2!) - 70% faster on repeated runs
-- 🎛️ **Advanced Filtering** (NEW in v2.2!) - Control alerts by severity level
+- 🔐 **Security Scanning** (v2.3) - npm audit integration with severity breakdown
+- 📦 **Bundle Size Analysis** (v2.3) - Identify heavy packages (> 1MB)
+- ⚖️ **License Checker** (v2.3) - Detect restrictive licenses (GPL, AGPL)
+- 🚀 **CI/CD Integration** (v2.2) - JSON output, exit codes, and silent mode
+- ⚡ **Smart Caching** (v2.2) - 70% faster on repeated runs
+- 🎛️ **Advanced Filtering** (v2.2) - Control alerts by severity level
 - 🔧 **Auto-Fix Command** (v2.1) - Fix issues automatically with one command
 - 🚨 **Ecosystem Intelligence** (v2.0) - Detect known issues before they break production
 - 🔍 **Detect unused dependencies** - Find packages you're not actually using
-- 📦 **Check for outdated packages** - See what needs updating
-- 🔐 **Security alerts** - Critical vulnerabilities and deprecated packages
 - 📊 **Project health score** - Get a 0-10 rating for your dependencies
 - 🎨 **Beautiful terminal UI** - Colored output with severity indicators
 - 🔧 **Framework-aware** - Handles React, Next.js, Angular, NestJS, PostCSS, Tailwind
@@ -63,7 +80,145 @@ devcompass analyze --ci
 devcompass analyze --silent
 ```
 
-## 🚀 NEW in v2.2: CI/CD Integration
+## 🔐 Security & Compliance Features
+
+### Security Vulnerability Scanning
+
+DevCompass integrates with **npm audit** to detect security vulnerabilities automatically!
+
+**Example Output:**
+```
+🔐 SECURITY VULNERABILITIES (12)
+
+  🔴 CRITICAL: 2
+  🟠 HIGH: 4
+  🟡 MODERATE: 5
+  ⚪ LOW: 1
+
+  Run npm audit fix to fix vulnerabilities
+```
+
+**How it works:**
+1. Runs `npm audit` in the background
+2. Parses vulnerability data
+3. Shows severity breakdown
+4. Impacts health score (-2.5 per critical issue)
+5. Suggests fix commands
+
+**Health Score Impact:**
+- Critical: −2.5 points each
+- High: −1.5 points each
+- Moderate: −0.5 points each
+- Low: −0.2 points each
+
+### Bundle Size Analysis
+
+Identify large dependencies that bloat your `node_modules`!
+
+**Example Output:**
+```
+📦 HEAVY PACKAGES (3)
+
+  Packages larger than 1MB:
+
+  webpack                   2.3 MB
+  typescript                8.1 MB
+  @tensorflow/tfjs          12.4 MB
+```
+
+**Perfect for:**
+- Frontend developers optimizing bundle size
+- Identifying unnecessary large dependencies
+- Web performance optimization
+- Docker image size reduction
+
+### License Compliance Checker
+
+Detect restrictive licenses that may require legal review!
+
+**Example Output:**
+```
+⚖️ LICENSE WARNINGS (2)
+
+  sharp - Restrictive (LGPL-3.0)
+  custom-lib - Unknown (UNLICENSED)
+
+  Note: Restrictive licenses may require legal review
+```
+
+**What gets flagged:**
+- **Restrictive licenses:** GPL, AGPL, LGPL (may require source code disclosure)
+- **Unknown licenses:** Packages without license information
+- **Unlicensed packages:** Legal risk for commercial use
+
+**Supported licenses:**
+- ✅ **Safe:** MIT, Apache-2.0, BSD, ISC, CC0
+- ⚠️ **Restrictive:** GPL, AGPL, LGPL
+- ❓ **Unknown:** Missing or custom licenses
+
+### Combined Analysis Example
+
+**Full Output:**
+```
+🔍 DevCompass v2.3.1 - Analyzing your project...
+✔ Scanned 25 dependencies in project
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+✅ SECURITY VULNERABILITIES
+
+  No vulnerabilities detected!
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+🚨 ECOSYSTEM ALERTS (1)
+
+🟠 HIGH
+  axios@1.6.0
+    Issue: Memory leak in request interceptors
+    Fix: 1.6.2
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+📦 HEAVY PACKAGES (2)
+
+  Packages larger than 1MB:
+
+  typescript                8.1 MB
+  webpack                   2.3 MB
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+✅ LICENSE COMPLIANCE
+
+  All licenses are permissive!
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+📊 PROJECT HEALTH
+
+  Overall Score:              8.5/10
+  Total Dependencies:         25
+  Ecosystem Alerts:           1
+  Unused:                     0
+  Outdated:                   2
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+💡 QUICK WINS
+
+  🔴 Fix critical issues:
+
+  npm install axios@1.6.2
+
+  Expected impact:
+  ✓ Resolve critical stability issues
+  ✓ Improve health score → 10/10
+
+💡 TIP: Run 'devcompass fix' to apply these fixes automatically!
+```
+
+## 🚀 CI/CD Integration
 
 ### JSON Output
 Perfect for parsing in CI/CD pipelines:
@@ -74,23 +229,38 @@ devcompass analyze --json
 **Output:**
 ```json
 {
-  "version": "2.2.0",
-  "timestamp": "2026-04-01T15:51:10.395Z",
+  "version": "2.3.1",
+  "timestamp": "2026-04-02T10:30:00.000Z",
   "summary": {
-    "healthScore": 7.5,
-    "totalDependencies": 15,
-    "ecosystemAlerts": 2,
-    "unusedDependencies": 3,
-    "outdatedPackages": 5
+    "healthScore": 8.5,
+    "totalDependencies": 25,
+    "securityVulnerabilities": 0,
+    "ecosystemAlerts": 1,
+    "unusedDependencies": 0,
+    "outdatedPackages": 2,
+    "heavyPackages": 2,
+    "licenseWarnings": 0
+  },
+  "security": {
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "moderate": 0,
+    "low": 0,
+    "vulnerabilities": []
+  },
+  "bundleAnalysis": {
+    "heavyPackages": [
+      { "name": "typescript", "size": "8.1 MB" },
+      { "name": "webpack", "size": "2.3 MB" }
+    ]
+  },
+  "licenses": {
+    "warnings": []
   },
   "ecosystemAlerts": [...],
-  "unusedDependencies": [...],
-  "outdatedPackages": [...],
-  "scoreBreakdown": {
-    "unusedPenalty": 0.8,
-    "outdatedPenalty": 1.7,
-    "alertsPenalty": 3.5
-  }
+  "unusedDependencies": [],
+  "outdatedPackages": [...]
 }
 ```
 
@@ -115,8 +285,8 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
-      - run: npm install -g devcompass
-      - run: devcompass analyze --ci
+      - run: npm install
+      - run: npx devcompass analyze --ci
 ```
 
 ### Silent Mode
@@ -126,15 +296,23 @@ devcompass analyze --silent
 echo $?  # Check exit code
 ```
 
-## ⚡ NEW in v2.2: Smart Caching
+## ⚡ Smart Caching
 
-DevCompass now caches results to improve performance:
+DevCompass caches results to improve performance:
 
 - **First run:** Normal speed (fetches all data)
 - **Cached runs:** ~70% faster
 - **Cache duration:** 1 hour
 - **Cache file:** `.devcompass-cache.json` (auto-gitignored)
 
+**What gets cached:**
+- Security vulnerabilities
+- Ecosystem alerts
+- Unused dependencies
+- Outdated packages
+- Bundle sizes
+- License information
+
 **Disable caching:**
 ```json
 // devcompass.config.json
@@ -143,7 +321,7 @@ DevCompass now caches results to improve performance:
 }
 ```
 
-## 🎛️ NEW in v2.2: Advanced Configuration
+## 🎛️ Advanced Configuration
 
 Create `devcompass.config.json` in your project root:
 ```json
@@ -174,32 +352,33 @@ Create `devcompass.config.json` in your project root:
 
 ### Example Configurations
 
-**Only show critical security issues:**
+**Security-focused (strict):**
 ```json
 {
   "minSeverity": "critical",
-  "minScore": 8
+  "minScore": 9
 }
 ```
 
-**Ignore low-priority alerts:**
+**Balanced (recommended):**
 ```json
 {
-  "ignoreSeverity": ["low"]
+  "ignoreSeverity": ["low"],
+  "minScore": 7
 }
 ```
 
-**Strict CI mode:**
+**Relaxed (development):**
 ```json
 {
-  "minScore": 9,
-  "minSeverity": "high"
+  "ignoreSeverity": ["low", "medium"],
+  "minScore": 5
 }
 ```
 
 ## 🔧 Auto-Fix Command
 
-DevCompass can now **automatically fix issues** in your project!
+DevCompass can **automatically fix issues** in your project!
 
 ### What it does:
 - 🔴 **Fixes critical security issues** - Upgrades packages with known vulnerabilities
@@ -220,67 +399,6 @@ devcompass fix -y
 devcompass fix --path /path/to/project
 ```
 
-### Example Output
-```
-🔧 DevCompass Fix - Analyzing and fixing your project...
-
-🔴 CRITICAL ISSUES TO FIX:
-
-🔴 lodash@4.17.19
-   Issue: Prototype pollution vulnerability
-   Fix: Upgrade to 4.17.21
-
-🟠 axios@1.6.0
-   Issue: Memory leak in request interceptors
-   Fix: Upgrade to 1.6.2
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-🧹 UNUSED DEPENDENCIES TO REMOVE:
-
-  ● moment
-  ● express
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-⬆️  SAFE UPDATES (patch/minor):
-
-  react-dom: 18.2.0 → 18.2.1 (patch update)
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-⚠️  MAJOR UPDATES (skipped - may have breaking changes):
-
-  express: 4.18.0 → 5.2.1
-
-  Run these manually after reviewing changelog:
-  npm install express@5.2.1
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-📊 FIX SUMMARY:
-
-  Critical fixes:  2
-  Remove unused:   2
-  Safe updates:    1
-  Skipped major:   1
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-❓ Apply these fixes? (y/N): y
-
-🔧 Applying fixes...
-
-✔ ✅ Removed 2 unused packages
-✔ ✅ Fixed lodash@4.17.21
-✔ ✅ Fixed axios@1.6.2
-✔ ✅ Updated 1 packages
-
-✨ All fixes applied successfully!
-
-💡 Run devcompass analyze to see the new health score.
-```
-
 ### Safety Features
 - ✅ Shows what will be changed before applying
 - ✅ Requires confirmation (unless `--yes` flag used)
@@ -300,73 +418,6 @@ devcompass fix
 devcompass analyze
 ```
 
-## 📊 Analyze Command
-
-### Example Output (v2.2)
-```
-🔍 DevCompass v2.2.0 - Analyzing your project...
-✔ Scanned 15 dependencies in project
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-🚨 ECOSYSTEM ALERTS (2)
-
-🔴 CRITICAL
-  lodash@4.17.19
-    Issue: Prototype pollution vulnerability
-    Affected: <4.17.21
-    Fix: 4.17.21
-    Source: npm advisory 1523
-
-🟠 HIGH
-  axios@1.6.0
-    Issue: Memory leak in request interceptors
-    Affected: >=1.5.0 <1.6.2
-    Fix: 1.6.2
-    Source: GitHub Issue #5456
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-🔴 UNUSED DEPENDENCIES (2)
-  ● moment
-  ● request
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-🟡 OUTDATED PACKAGES (3)
-  react          18.2.0 → ^19.0.0  (major update)
-  express        4.18.0 → ^4.19.0  (patch update)
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-📊 PROJECT HEALTH
-  Overall Score:       5.5/10
-  Total Dependencies:  15
-  Ecosystem Alerts:    2
-  Unused:              2
-  Outdated:            3
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-💡 QUICK WINS
-  🔴 Fix critical issues:
-
-  npm install lodash@4.17.21
-  npm install axios@1.6.2
-
-  🧹 Clean up unused dependencies:
-
-  npm uninstall moment request
-
-  Expected impact:
-  ✓ Resolve critical security/stability issues
-  ✓ Remove 2 unused packages
-  ✓ Reduce node_modules size
-  ✓ Improve health score → 8.5/10
-
-💡 TIP: Run 'devcompass fix' to apply these fixes automatically!
-```
-
 ## 🚨 Ecosystem Intelligence
 
 DevCompass tracks **real-world issues** in popular packages and warns you before they break production!
@@ -420,11 +471,12 @@ DevCompass won't flag these as unused (they're typically used in config files):
 - Shows current vs latest versions
 - Indicates update type (major/minor/patch)
 
-### Health Score (Enhanced in v2.0)
+### Health Score
 Calculated from 0-10 based on:
 - Percentage of unused dependencies (−4 points per 100%)
 - Percentage of outdated packages (−3 points per 100%)
 - Ecosystem alerts by severity (−0.2 to −2.0 per issue)
+- Security vulnerabilities by severity (−0.2 to −2.5 per issue)
 - Higher score = healthier project
 
 ## ⚙️ Commands & Options
@@ -511,6 +563,21 @@ if [ $? -ne 0 ]; then
 fi
 ```
 
+### Security-Focused Workflow
+```bash
+# 1. Run security scan
+devcompass analyze
+
+# 2. Check for critical vulnerabilities
+devcompass analyze --json | jq '.security.critical'
+
+# 3. Auto-fix if possible
+npm audit fix
+
+# 4. Verify fixes
+devcompass analyze
+```
+
 ## ⚠️ Known Issues & Best Practices
 
 ### Installation
@@ -543,12 +610,14 @@ If you encounter a false positive, please [report it](https://github.com/AjayBTh
 
 1. **Run regularly** - Add to your CI/CD pipeline or git hooks
 2. **Use fix command** - Let DevCompass handle routine maintenance
-3. **Configure severity levels** - Filter out noise with `minSeverity`
-4. **Enable CI mode** - Catch issues before they reach production
-5. **Use JSON output** - Integrate with your monitoring tools
-6. **Fix critical alerts first** - Prioritize security and stability
-7. **Review major updates** - Always check changelogs before major version bumps
-8. **Verify before uninstalling** - DevCompass helps identify candidates, but always verify
+3. **Check security first** - Prioritize fixing critical vulnerabilities
+4. **Monitor bundle size** - Keep an eye on heavy packages
+5. **Review licenses** - Ensure compliance with your legal requirements
+6. **Configure severity levels** - Filter out noise with `minSeverity`
+7. **Enable CI mode** - Catch issues before they reach production
+8. **Use JSON output** - Integrate with your monitoring tools
+9. **Review major updates** - Always check changelogs before major version bumps
+10. **Verify before uninstalling** - DevCompass helps identify candidates, but always verify
 
 ## 🤝 Contributing
 
@@ -632,18 +701,22 @@ Check out DevCompass stats:
 
 ## 🌟 What's Next?
 
-### Roadmap (v2.3+)
+### Roadmap
 - [x] ~~Automatic fix command~~ ✅ **Added in v2.1!**
 - [x] ~~CI/CD integration with JSON output~~ ✅ **Added in v2.2!**
 - [x] ~~Smart caching system~~ ✅ **Added in v2.2!**
 - [x] ~~Custom ignore rules via config file~~ ✅ **Added in v2.2!**
-- [ ] Integration with `npm audit` for automated security scanning
-- [ ] GitHub Issues API for real-time issue tracking
-- [ ] Web dashboard for team health monitoring
-- [ ] More tracked packages (React, Next.js, Vue, Angular)
-- [ ] Bundle size analysis
-- [ ] Automated security patch suggestions
-- [ ] Team collaboration features
+- [x] ~~npm audit integration~~ ✅ **Added in v2.3!**
+- [x] ~~Bundle size analysis~~ ✅ **Added in v2.3!**
+- [x] ~~License compliance checker~~ ✅ **Added in v2.3!**
+- [x] ~~Fix all security vulnerabilities~~ ✅ **Fixed in v2.3.1!**
+- [ ] GitHub Issues API for real-time issue tracking (v2.4.0)
+- [ ] Automated security patch suggestions (v2.4.0)
+- [ ] Dependency graph visualization (v2.5.0)
+- [ ] Web dashboard for team health monitoring (v2.5.0)
+- [ ] More tracked packages (React, Next.js, Vue, Angular) (v2.5.0)
+- [ ] Team collaboration features (v2.6.0)
+- [ ] Slack/Discord notifications (v2.6.0)
 
 Want to contribute? Pick an item and open an issue! 🚀
 
@@ -653,4 +726,5 @@ Want to contribute? Pick an item and open an issue! 🚀
 
 *DevCompass - Keep your dependencies healthy!* 🧭
 
-**Like Lighthouse for your dependencies** ⚡
+**Like Lighthouse for your dependencies** ⚡
+EOF

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "devcompass",
-  "version": "2.2.0",
+  "version": "2.3.1",
   "description": "Dependency health checker with ecosystem intelligence for JavaScript/TypeScript projects",
   "main": "src/index.js",
   "bin": {
@@ -33,7 +33,10 @@
     "ci-cd",
     "automation",
     "caching",
-    "json-output"
+    "json-output",
+    "npm-audit",
+    "bundle-size",
+    "license-checker"
   ],
   "author": "Ajay Thorat <ajaythorat988@gmail.com>",
   "license": "MIT",
@@ -41,7 +44,7 @@
     "chalk": "^4.1.2",
     "commander": "^11.1.0",
     "depcheck": "^1.4.7",
-    "npm-check-updates": "^16.14.12",
+    "npm-check-updates": "^20.0.0",
     "ora": "^5.4.1",
     "semver": "^7.6.0"
   },
@@ -56,4 +59,4 @@
     "url": "https://github.com/AjayBThorat-20/devcompass/issues"
   },
   "homepage": "https://github.com/AjayBThorat-20/devcompass#readme"
-}
+}

package/src/alerts/predictive.js

@@ -0,0 +1,54 @@
+// src/alerts/predictive.js
+
+/**
+ * Analyze package health trends
+ * NOTE: This is a simplified version without GitHub API
+ * For production, integrate with GitHub Issues API
+ */
+async function analyzeTrends(packageName) {
+  // Placeholder for future GitHub API integration
+  // For now, return basic analysis
+  
+  return {
+    package: packageName,
+    recentIssues: 0,
+    trend: 'stable',
+    recommendation: null
+  };
+}
+
+/**
+ * Calculate risk score based on trends
+ */
+function calculateRiskScore(trends) {
+  let risk = 0;
+  
+  // High issue activity = higher risk
+  if (trends.recentIssues > 20) {
+    risk += 3;
+  } else if (trends.recentIssues > 10) {
+    risk += 2;
+  } else if (trends.recentIssues > 5) {
+    risk += 1;
+  }
+  
+  return risk;
+}
+
+/**
+ * Generate predictive warnings
+ */
+function generatePredictiveWarnings(packages) {
+  const warnings = [];
+  
+  // This is a placeholder
+  // In production, this would analyze GitHub activity
+  
+  return warnings;
+}
+
+module.exports = {
+  analyzeTrends,
+  calculateRiskScore,
+  generatePredictiveWarnings
+};

package/src/analyzers/bundle-size.js

@@ -0,0 +1,85 @@
+// src/analyzers/bundle-size.js
+const path = require('path');
+const fs = require('fs');
+
+/**
+ * Get package sizes from node_modules
+ */
+async function analyzeBundleSizes(projectPath, dependencies) {
+  const sizes = [];
+  
+  for (const packageName of Object.keys(dependencies)) {
+    try {
+      const packagePath = path.join(projectPath, 'node_modules', packageName);
+      
+      if (!fs.existsSync(packagePath)) {
+        continue;
+      }
+      
+      const size = await getDirectorySize(packagePath);
+      const sizeInKB = Math.round(size / 1024);
+      
+      sizes.push({
+        name: packageName,
+        size: sizeInKB,
+        sizeFormatted: formatSize(sizeInKB)
+      });
+      
+    } catch (error) {
+      // Skip packages we can't measure
+      continue;
+    }
+  }
+  
+  // Sort by size (largest first)
+  sizes.sort((a, b) => b.size - a.size);
+  
+  return sizes;
+}
+
+/**
+ * Get total size of directory recursively
+ */
+function getDirectorySize(dirPath) {
+  let totalSize = 0;
+  
+  const items = fs.readdirSync(dirPath);
+  
+  for (const item of items) {
+    const itemPath = path.join(dirPath, item);
+    const stats = fs.statSync(itemPath);
+    
+    if (stats.isFile()) {
+      totalSize += stats.size;
+    } else if (stats.isDirectory()) {
+      totalSize += getDirectorySize(itemPath);
+    }
+  }
+  
+  return totalSize;
+}
+
+/**
+ * Format size in human-readable format
+ */
+function formatSize(kb) {
+  if (kb < 1024) {
+    return `${kb} KB`;
+  } else {
+    const mb = (kb / 1024).toFixed(1);
+    return `${mb} MB`;
+  }
+}
+
+/**
+ * Identify heavy packages (> 1MB)
+ */
+function findHeavyPackages(sizes) {
+  return sizes.filter(pkg => pkg.size > 1024); // > 1MB
+}
+
+module.exports = { 
+  analyzeBundleSizes,
+  findHeavyPackages,
+  formatSize
+};

package/src/analyzers/licenses.js

@@ -0,0 +1,107 @@
+// src/analyzers/licenses.js
+const path = require('path');
+const fs = require('fs');
+
+// Restrictive licenses that might cause issues
+const RESTRICTIVE_LICENSES = [
+  'GPL',
+  'GPL-2.0',
+  'GPL-3.0',
+  'AGPL',
+  'AGPL-3.0',
+  'LGPL',
+  'LGPL-2.1',
+  'LGPL-3.0'
+];
+
+// Permissive licenses (usually safe)
+const PERMISSIVE_LICENSES = [
+  'MIT',
+  'Apache-2.0',
+  'BSD-2-Clause',
+  'BSD-3-Clause',
+  'ISC',
+  'CC0-1.0',
+  'Unlicense'
+];
+
+/**
+ * Check licenses of all dependencies
+ */
+async function checkLicenses(projectPath, dependencies) {
+  const licenses = [];
+  
+  for (const [packageName, version] of Object.entries(dependencies)) {
+    try {
+      const packageJsonPath = path.join(
+        projectPath,
+        'node_modules',
+        packageName,
+        'package.json'
+      );
+      
+      if (!fs.existsSync(packageJsonPath)) {
+        continue;
+      }
+      
+      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+      const license = packageJson.license || 'UNKNOWN';
+      
+      licenses.push({
+        package: packageName,
+        license: license,
+        type: getLicenseType(license)
+      });
+      
+    } catch (error) {
+      // Skip packages we can't read
+      continue;
+    }
+  }
+  
+  return licenses;
+}
+
+/**
+ * Determine license type
+ */
+function getLicenseType(license) {
+  const licenseStr = String(license).toUpperCase();
+  
+  // Check for restrictive licenses
+  for (const restrictive of RESTRICTIVE_LICENSES) {
+    if (licenseStr.includes(restrictive)) {
+      return 'restrictive';
+    }
+  }
+  
+  // Check for permissive licenses
+  for (const permissive of PERMISSIVE_LICENSES) {
+    if (licenseStr.includes(permissive)) {
+      return 'permissive';
+    }
+  }
+  
+  // Unknown or custom license
+  if (licenseStr === 'UNKNOWN' || licenseStr === 'UNLICENSED') {
+    return 'unknown';
+  }
+  
+  return 'other';
+}
+
+/**
+ * Find problematic licenses
+ */
+function findProblematicLicenses(licenses) {
+  return licenses.filter(pkg => 
+    pkg.type === 'restrictive' || pkg.type === 'unknown'
+  );
+}
+
+module.exports = {
+  checkLicenses,
+  findProblematicLicenses,
+  RESTRICTIVE_LICENSES,
+  PERMISSIVE_LICENSES
+};

package/src/analyzers/scoring.js

@@ -1,5 +1,12 @@
 // src/analyzers/scoring.js
-function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0, alertPenalty = 0) {
+function calculateScore(
+  totalDeps, 
+  unusedCount, 
+  outdatedCount, 
+  alertsCount = 0, 
+  alertPenalty = 0,
+  securityPenalty = 0  // NEW
+) {
   let score = 10;
   
   if (totalDeps === 0) {
@@ -9,9 +16,11 @@ function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0,
         unused: 0,
         outdated: 0,
         alerts: 0,
+        security: 0,
         unusedPenalty: 0,
         outdatedPenalty: 0,
-        alertsPenalty: 0
+        alertsPenalty: 0,
+        securityPenalty: 0
       }
     };
   }
@@ -26,9 +35,12 @@ function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0,
   const outdatedPenalty = outdatedRatio * 3;
   score -= outdatedPenalty;
   
-  // Ecosystem alerts penalty (from formatter.calculateAlertPenalty)
+  // Ecosystem alerts penalty
   score -= alertPenalty;
   
+  // Security vulnerabilities penalty (NEW)
+  score -= securityPenalty;
+  
   // Ensure score is between 0 and 10
   score = Math.max(0, Math.min(10, score));
   
@@ -38,9 +50,11 @@ function calculateScore(totalDeps, unusedCount, outdatedCount, alertsCount = 0,
       unused: unusedCount,
       outdated: outdatedCount,
       alerts: alertsCount,
+      security: securityPenalty > 0 ? 1 : 0, // Binary indicator
       unusedPenalty: parseFloat(unusedPenalty.toFixed(1)),
       outdatedPenalty: parseFloat(outdatedPenalty.toFixed(1)),
-      alertsPenalty: parseFloat(alertPenalty.toFixed(1))
+      alertsPenalty: parseFloat(alertPenalty.toFixed(1)),
+      securityPenalty: parseFloat(securityPenalty.toFixed(1))
     }
   };
 }

package/src/analyzers/security.js

@@ -0,0 +1,111 @@
+// src/analyzers/security.js
+const { execSync } = require('child_process');
+
+/**
+ * Run npm audit and parse results
+ */
+async function checkSecurity(projectPath) {
+  try {
+    // Run npm audit in JSON mode
+    const auditOutput = execSync('npm audit --json', {
+      cwd: projectPath,
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+    
+    const auditData = JSON.parse(auditOutput);
+    
+    // Extract vulnerabilities
+    const vulnerabilities = [];
+    
+    if (auditData.vulnerabilities) {
+      Object.entries(auditData.vulnerabilities).forEach(([packageName, vuln]) => {
+        vulnerabilities.push({
+          package: packageName,
+          severity: vuln.severity, // critical, high, moderate, low
+          title: vuln.via[0]?.title || 'Security vulnerability',
+          range: vuln.range,
+          fixAvailable: vuln.fixAvailable,
+          cve: vuln.via[0]?.cve || null,
+          url: vuln.via[0]?.url || null
+        });
+      });
+    }
+    
+    return {
+      vulnerabilities,
+      metadata: {
+        total: auditData.metadata?.vulnerabilities?.total || 0,
+        critical: auditData.metadata?.vulnerabilities?.critical || 0,
+        high: auditData.metadata?.vulnerabilities?.high || 0,
+        moderate: auditData.metadata?.vulnerabilities?.moderate || 0,
+        low: auditData.metadata?.vulnerabilities?.low || 0
+      }
+    };
+    
+  } catch (error) {
+    // npm audit returns non-zero exit code when vulnerabilities found
+    // Try to parse the error output
+    try {
+      const auditData = JSON.parse(error.stdout);
+      
+      const vulnerabilities = [];
+      
+      if (auditData.vulnerabilities) {
+        Object.entries(auditData.vulnerabilities).forEach(([packageName, vuln]) => {
+          vulnerabilities.push({
+            package: packageName,
+            severity: vuln.severity,
+            title: vuln.via[0]?.title || 'Security vulnerability',
+            range: vuln.range,
+            fixAvailable: vuln.fixAvailable,
+            cve: vuln.via[0]?.cve || null,
+            url: vuln.via[0]?.url || null
+          });
+        });
+      }
+      
+      return {
+        vulnerabilities,
+        metadata: {
+          total: auditData.metadata?.vulnerabilities?.total || 0,
+          critical: auditData.metadata?.vulnerabilities?.critical || 0,
+          high: auditData.metadata?.vulnerabilities?.high || 0,
+          moderate: auditData.metadata?.vulnerabilities?.moderate || 0,
+          low: auditData.metadata?.vulnerabilities?.low || 0
+        }
+      };
+    } catch (parseError) {
+      // If we can't parse, return empty
+      return {
+        vulnerabilities: [],
+        metadata: {
+          total: 0,
+          critical: 0,
+          high: 0,
+          moderate: 0,
+          low: 0
+        }
+      };
+    }
+  }
+}
+
+/**
+ * Calculate security penalty for health score
+ */
+function calculateSecurityPenalty(metadata) {
+  let penalty = 0;
+  
+  penalty += metadata.critical * 2.5;  // Critical: -2.5 points each
+  penalty += metadata.high * 1.5;      // High: -1.5 points each
+  penalty += metadata.moderate * 0.5;   // Moderate: -0.5 points each
+  penalty += metadata.low * 0.2;        // Low: -0.2 points each
+  
+  return Math.min(penalty, 5.0); // Cap at 5 points
+}
+
+module.exports = { 
+  checkSecurity,
+  calculateSecurityPenalty
+};

package/src/commands/analyze.js

@@ -8,6 +8,9 @@ const { findUnusedDeps } = require('../analyzers/unused-deps');
 const { findOutdatedDeps } = require('../analyzers/outdated');
 const { calculateScore } = require('../analyzers/scoring');
 const { checkEcosystemAlerts } = require('../alerts');
+const { checkSecurity, calculateSecurityPenalty } = require('../analyzers/security');
+const { analyzeBundleSizes, findHeavyPackages } = require('../analyzers/bundle-size');
+const { checkLicenses, findProblematicLicenses } = require('../analyzers/licenses');
 const { 
   formatAlerts, 
   getSeverityDisplay, 
@@ -34,15 +37,25 @@ async function analyze(options) {
   // Handle output modes
   const outputMode = options.json ? 'json' : (options.ci ? 'ci' : (options.silent ? 'silent' : 'normal'));
   
-  if (outputMode !== 'silent') {
+  // Only show header for normal and CI modes
+  if (outputMode !== 'silent' && outputMode !== 'json') {
     console.log('\n');
     log(chalk.cyan.bold(`🔍 DevCompass v${packageJson.version}`) + ' - Analyzing your project...\n');
   }
   
-  const spinner = ora({
-    text: 'Loading project...',
-    color: 'cyan'
-  }).start();
+  // Create spinner (disabled for json/silent modes to prevent EPIPE errors)
+  const spinner = (outputMode === 'json' || outputMode === 'silent')
+    ? { 
+        start: function() { return this; },
+        succeed: function() {},
+        fail: function(msg) { if (msg) console.error(msg); },
+        text: '',
+        set text(val) {}
+      }
+    : ora({
+        text: 'Loading project...',
+        color: 'cyan'
+      }).start();
   
   try {
     const packageJsonPath = path.join(projectPath, 'package.json');
@@ -148,28 +161,95 @@ async function analyze(options) {
       }
     }
     
+    // Check security vulnerabilities (NEW)
+    spinner.text = 'Checking security vulnerabilities...';
+    let securityData = { vulnerabilities: [], metadata: { total: 0, critical: 0, high: 0, moderate: 0, low: 0 } };
+    
+    if (config.cache) {
+      const cached = getCached(projectPath, 'security');
+      if (cached) securityData = cached;
+    }
+    
+    if (securityData.metadata.total === 0) {
+      try {
+        securityData = await checkSecurity(projectPath);
+        if (config.cache) {
+          setCache(projectPath, 'security', securityData);
+        }
+      } catch (error) {
+        if (outputMode !== 'silent') {
+          console.log(chalk.yellow('\n⚠️  Could not check security vulnerabilities'));
+          console.log(chalk.gray(`   Error: ${error.message}\n`));
+        }
+      }
+    }
+    
+    // Analyze bundle sizes (NEW)
+    spinner.text = 'Analyzing bundle sizes...';
+    let bundleSizes = [];
+    
+    if (config.cache) {
+      const cached = getCached(projectPath, 'bundleSizes');
+      if (cached) bundleSizes = cached;
+    }
+    
+    if (bundleSizes.length === 0) {
+      try {
+        bundleSizes = await analyzeBundleSizes(projectPath, dependencies);
+        if (config.cache && bundleSizes.length > 0) {
+          setCache(projectPath, 'bundleSizes', bundleSizes);
+        }
+      } catch (error) {
+        // Bundle size analysis is optional
+      }
+    }
+    
+    // Check licenses (NEW)
+    spinner.text = 'Checking licenses...';
+    let licenses = [];
+    
+    if (config.cache) {
+      const cached = getCached(projectPath, 'licenses');
+      if (cached) licenses = cached;
+    }
+    
+    if (licenses.length === 0) {
+      try {
+        licenses = await checkLicenses(projectPath, dependencies);
+        if (config.cache && licenses.length > 0) {
+          setCache(projectPath, 'licenses', licenses);
+        }
+      } catch (error) {
+        // License checking is optional
+      }
+    }
+    
+    // Calculate score (UPDATED)
     const alertPenalty = calculateAlertPenalty(alerts);
+    const securityPenalty = calculateSecurityPenalty(securityData.metadata);
+    
     const score = calculateScore(
       totalDeps,
       unusedDeps.length,
       outdatedDeps.length,
       alerts.length,
-      alertPenalty
+      alertPenalty,
+      securityPenalty
     );
     
     spinner.succeed(chalk.green(`Scanned ${totalDeps} dependencies in project`));
     
     // Handle different output modes
     if (outputMode === 'json') {
-      const jsonOutput = formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+      const jsonOutput = formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses);
       console.log(jsonOutput);
     } else if (outputMode === 'ci') {
-      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses);
       handleCiMode(score, config, alerts, unusedDeps);
     } else if (outputMode === 'silent') {
       // Silent mode - no output
     } else {
-      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+      displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses);
     }
     
   } catch (error) {
@@ -182,10 +262,40 @@ async function analyze(options) {
   }
 }
 
-function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
+function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses) {
   logDivider();
   
-  // ECOSYSTEM ALERTS (NEW SECTION)
+  // SECURITY VULNERABILITIES (NEW SECTION)
+  if (securityData.metadata.total > 0) {
+    const criticalCount = securityData.metadata.critical;
+    const highCount = securityData.metadata.high;
+    const moderateCount = securityData.metadata.moderate;
+    const lowCount = securityData.metadata.low;
+    
+    logSection('🔐 SECURITY VULNERABILITIES', securityData.metadata.total);
+    
+    if (criticalCount > 0) {
+      log(chalk.red.bold(`\n  🔴 CRITICAL: ${criticalCount}`));
+    }
+    if (highCount > 0) {
+      log(chalk.red(`  🟠 HIGH: ${highCount}`));
+    }
+    if (moderateCount > 0) {
+      log(chalk.yellow(`  🟡 MODERATE: ${moderateCount}`));
+    }
+    if (lowCount > 0) {
+      log(chalk.gray(`  ⚪ LOW: ${lowCount}`));
+    }
+    
+    log(chalk.cyan('\n  Run') + chalk.bold(' npm audit fix ') + chalk.cyan('to fix vulnerabilities\n'));
+  } else {
+    logSection('✅ SECURITY VULNERABILITIES');
+    log(chalk.green('  No vulnerabilities detected!\n'));
+  }
+  
+  logDivider();
+  
+  // ECOSYSTEM ALERTS
   if (alerts.length > 0) {
     logSection('🚨 ECOSYSTEM ALERTS', alerts.length);
     
@@ -266,6 +376,46 @@ function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
   
   logDivider();
   
+  // BUNDLE SIZE (NEW SECTION)
+  const heavyPackages = findHeavyPackages(bundleSizes);
+  if (heavyPackages.length > 0) {
+    logSection('📦 HEAVY PACKAGES', heavyPackages.length);
+    
+    log(chalk.gray('  Packages larger than 1MB:\n'));
+    
+    heavyPackages.slice(0, 10).forEach(pkg => {
+      const nameCol = pkg.name.padEnd(25);
+      const size = pkg.size > 5120 
+        ? chalk.red(pkg.sizeFormatted)
+        : chalk.yellow(pkg.sizeFormatted);
+      
+      log(`  ${nameCol} ${size}`);
+    });
+    
+    log('');
+    logDivider();
+  }
+  
+  // LICENSE WARNINGS (NEW SECTION - ALWAYS SHOW)
+  const problematicLicenses = findProblematicLicenses(licenses);
+  if (problematicLicenses.length > 0) {
+    logSection('⚖️  LICENSE WARNINGS', problematicLicenses.length);
+    
+    problematicLicenses.forEach(pkg => {
+      const type = pkg.type === 'restrictive' 
+        ? chalk.red('Restrictive') 
+        : chalk.yellow('Unknown');
+      log(`  ${chalk.bold(pkg.package)} - ${type} (${pkg.license})`);
+    });
+    
+    log(chalk.gray('\n  Note: Restrictive licenses may require legal review\n'));
+  } else {
+    logSection('✅ LICENSE COMPLIANCE');
+    log(chalk.green('  All licenses are permissive!\n'));
+  }
+  
+  logDivider();
+  
   // PROJECT HEALTH
   logSection('📊 PROJECT HEALTH');
   
@@ -273,6 +423,10 @@ function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
   log(`  Overall Score:              ${scoreColor(score.total + '/10')}`);
   log(`  Total Dependencies:         ${chalk.cyan(totalDeps)}`);
   
+  if (securityData.metadata.total > 0) {
+    log(`  Security Vulnerabilities:   ${chalk.red(securityData.metadata.total)}`);
+  }
+  
   if (alerts.length > 0) {
     log(`  Ecosystem Alerts:           ${chalk.red(alerts.length)}`);
   }
@@ -283,16 +437,23 @@ function displayResults(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
   logDivider();
   
   // QUICK WINS
-  displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps);
+  displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData);
 }
 
-function displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
+function displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData) {
   const hasCriticalAlerts = alerts.some(a => a.severity === 'critical' || a.severity === 'high');
+  const hasCriticalSecurity = securityData.metadata.critical > 0 || securityData.metadata.high > 0;
   
-  if (hasCriticalAlerts || unusedDeps.length > 0) {
+  if (hasCriticalSecurity || hasCriticalAlerts || unusedDeps.length > 0) {
     logSection('💡 QUICK WINS');
     
-    // Fix critical alerts first
+    // Fix security vulnerabilities first
+    if (hasCriticalSecurity) {
+      log('  🔐 Fix security vulnerabilities:\n');
+      log(chalk.cyan(`  npm audit fix\n`));
+    }
+    
+    // Fix critical alerts
     if (hasCriticalAlerts) {
       const criticalAlerts = alerts.filter(a => a.severity === 'critical' || a.severity === 'high');
       
@@ -325,13 +486,18 @@ function displayQuickWins(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
       0,
       outdatedDeps.length,
       alerts.length - alerts.filter(a => a.severity === 'critical' || a.severity === 'high').length,
-      alertPenalty
+      alertPenalty,
+      0 // Assume security issues fixed
     );
     
     log('  Expected impact:');
     
+    if (hasCriticalSecurity) {
+      log(`  ${chalk.green('✓')} Resolve security vulnerabilities`);
+    }
+    
     if (hasCriticalAlerts) {
-      log(`  ${chalk.green('✓')} Resolve critical security/stability issues`);
+      log(`  ${chalk.green('✓')} Resolve critical stability issues`);
     }
     
     if (unusedDeps.length > 0) {

package/src/utils/json-formatter.js

@@ -3,16 +3,36 @@
 /**
  * Format analysis results as JSON
  */
-function formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
+function formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps, securityData, bundleSizes, licenses) {
+  const problematicLicenses = licenses.filter(l => l.type === 'restrictive' || l.type === 'unknown');
+  const heavyPackages = bundleSizes.filter(p => p.size > 1024);
+  
   return JSON.stringify({
     version: require('../../package.json').version,
     timestamp: new Date().toISOString(),
     summary: {
       healthScore: score.total,
       totalDependencies: totalDeps,
+      securityVulnerabilities: securityData.metadata.total,
       ecosystemAlerts: alerts.length,
       unusedDependencies: unusedDeps.length,
-      outdatedPackages: outdatedDeps.length
+      outdatedPackages: outdatedDeps.length,
+      heavyPackages: heavyPackages.length,
+      licenseWarnings: problematicLicenses.length
+    },
+    security: {
+      total: securityData.metadata.total,
+      critical: securityData.metadata.critical,
+      high: securityData.metadata.high,
+      moderate: securityData.metadata.moderate,
+      low: securityData.metadata.low,
+      vulnerabilities: securityData.vulnerabilities.map(v => ({
+        package: v.package,
+        severity: v.severity,
+        title: v.title,
+        cve: v.cve,
+        fixAvailable: v.fixAvailable
+      }))
     },
     ecosystemAlerts: alerts.map(alert => ({
       package: alert.package,
@@ -33,10 +53,24 @@ function formatAsJson(alerts, unusedDeps, outdatedDeps, score, totalDeps) {
       latest: dep.latest,
       updateType: dep.versionsBehind
     })),
+    bundleAnalysis: {
+      heavyPackages: heavyPackages.map(pkg => ({
+        name: pkg.name,
+        size: pkg.sizeFormatted
+      }))
+    },
+    licenses: {
+      warnings: problematicLicenses.map(pkg => ({
+        package: pkg.package,
+        license: pkg.license,
+        type: pkg.type
+      }))
+    },
     scoreBreakdown: {
       unusedPenalty: score.breakdown.unusedPenalty,
       outdatedPenalty: score.breakdown.outdatedPenalty,
-      alertsPenalty: score.breakdown.alertsPenalty
+      alertsPenalty: score.breakdown.alertsPenalty,
+      securityPenalty: score.breakdown.securityPenalty
     }
   }, null, 2);
 }