rot-detector 1.0.0

package/README.md

@@ -0,0 +1,154 @@
+# 🧟 Dependency Rot Detector
+
+[![npm version](https://img.shields.io/npm/v/rot-detector.svg)](https://www.npmjs.com/package/rot-detector)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+> **Find abandoned dependencies before they become security nightmares.**
+
+A CLI tool that scans your `package.json` (NPM) or `requirements.txt` (Python) to detect **software rot** - dependencies that are abandoned, poorly maintained, or pose supply chain risks.
+
+## 🤔 The Problem
+
+`npm audit` and Snyk tell you about known CVEs. They **DON'T** tell you:
+
+- 📅 A library hasn't been updated in **4 years**
+- 👤 A package has only **1 maintainer** (bus factor risk)
+- ⚖️ A dependency uses a **deprecated license**
+
+This is "Software Rot" - a security bomb waiting to explode. 💣
+
+## 🚀 Quick Start
+
+```bash
+# Install globally
+npm install -g rot-detector
+
+# Scan your project
+rot-detector scan .
+
+# Or use npx (no install)
+npx rot-detector scan ./package.json
+```
+
+## 📊 Example Output
+
+```
+🧟 Dependency Rot Detector
+Scanned: ./package.json
+
+┌────────────────────────┬────────┬────────────────┬─────────────┬───────────────┬────────────┐
+│ Package                │ Score  │ Last Update    │ Maintainers │ License       │ Status     │
+├────────────────────────┼────────┼────────────────┼─────────────┼───────────────┼────────────┤
+│ abandoned-lib          │ 🔴 15  │ 4 years ago    │ 1           │ GPL-2.0       │ Critical   │
+│ old-but-ok             │ 🟡 65  │ 8 months ago   │ 2           │ MIT           │ Warning    │
+│ react                  │ 🟢 95  │ 2 days ago     │ 15          │ MIT           │ Healthy    │
+└────────────────────────┴────────┴────────────────┴─────────────┴───────────────┴────────────┘
+
+Summary: 🟢 1 Healthy | 🟡 1 Warning | 🔴 1 Critical
+```
+
+## 📋 Features
+
+| Feature | Description |
+|---------|-------------|
+| 🔍 **NPM + PyPI Support** | Scans `package.json` and `requirements.txt` |
+| 📈 **Health Scoring** | 0-100 score based on freshness, maintainers, license |
+| 🎨 **Beautiful CLI Output** | Color-coded risk indicators |
+| 📊 **JSON Export** | `--json` flag for CI/CD integration |
+| ⚡ **GitHub Integration** | Optional enhanced repo analysis |
+| 🚨 **Threshold Checks** | Fail builds if score drops below threshold |
+
+## ⚙️ CLI Options
+
+```bash
+rot-detector scan [path] [options]
+
+Options:
+  --json                Output results as JSON
+  --threshold <score>   Fail if any dependency scores below threshold
+  --github-token <tok>  GitHub token for enhanced repo analysis
+  --no-github           Skip GitHub analysis (faster)
+  --dev                 Include devDependencies
+  -v, --verbose         Verbose output
+```
+
+## 🏆 Health Score Breakdown
+
+Each dependency is scored 0-100 based on:
+
+| Factor | Weight | Scoring |
+|--------|--------|---------|
+| **Freshness** | 40% | < 6 months = 100, > 3 years = 5 |
+| **Maintainers** | 30% | 5+ = 100, 1 = 40, 0 = 10 |
+| **License** | 30% | OSI approved = 100, Unknown = 60 |
+
+### Risk Levels
+- 🟢 **Healthy** (80-100): Well maintained, safe to use
+- 🟡 **Warning** (50-79): Review recommended
+- 🔴 **Critical** (0-49): Replace immediately!
+
+## 🔧 CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: Dependency Health Check
+on: [push, pull_request]
+
+jobs:
+  rot-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+      
+      - name: Check for dependency rot
+        run: npx rot-detector scan --threshold 50
+```
+
+### Pre-commit Hook
+
+```bash
+# .husky/pre-commit
+npx rot-detector scan --threshold 60
+```
+
+## 🛠️ Development
+
+```bash
+# Clone the repo
+git clone https://github.com/notsointresting/rot-detector.git
+cd rot-detector
+
+# Install dependencies
+npm install
+
+# Run in development mode
+npm run dev -- scan ./sample/package.json
+
+# Build for production
+npm run build
+
+# Run tests
+npm test
+```
+
+## 🤝 Contributing
+
+Contributions are welcome! Feel free to:
+
+1. 🐛 Report bugs
+2. 💡 Suggest features
+3. 🔀 Submit pull requests
+
+## 📄 License
+
+MIT © [notsointresting](https://github.com/notsointresting)
+
+---
+
+<p align="center">
+  Made with 🧟 by developers who got burned by abandoned dependencies
+</p>

package/dist/index.cjs

@@ -0,0 +1,831 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/cli/index.ts
+var import_commander = require("commander");
+var import_ora = __toESM(require("ora"), 1);
+var import_chalk2 = __toESM(require("chalk"), 1);
+var path4 = __toESM(require("path"), 1);
+var fs3 = __toESM(require("fs"), 1);
+
+// src/parsers/package-json.ts
+var fs = __toESM(require("fs"), 1);
+var path = __toESM(require("path"), 1);
+function parsePackageJson(filePath) {
+  const absolutePath = path.resolve(filePath);
+  if (!fs.existsSync(absolutePath)) {
+    throw new Error(`File not found: ${absolutePath}`);
+  }
+  const content = fs.readFileSync(absolutePath, "utf-8");
+  let packageJson;
+  try {
+    packageJson = JSON.parse(content);
+  } catch (e) {
+    throw new Error(`Invalid JSON in ${filePath}: ${e.message}`);
+  }
+  const dependencies = [];
+  if (packageJson.dependencies) {
+    for (const [name, version] of Object.entries(packageJson.dependencies)) {
+      dependencies.push({
+        name,
+        version: cleanVersion(version),
+        type: "direct",
+        source: "npm",
+        isDev: false
+      });
+    }
+  }
+  if (packageJson.devDependencies) {
+    for (const [name, version] of Object.entries(packageJson.devDependencies)) {
+      dependencies.push({
+        name,
+        version: cleanVersion(version),
+        type: "direct",
+        source: "npm",
+        isDev: true
+      });
+    }
+  }
+  return dependencies;
+}
+function cleanVersion(version) {
+  return version.replace(/^[\^~>=<]+/, "").trim();
+}
+
+// src/parsers/requirements-txt.ts
+var fs2 = __toESM(require("fs"), 1);
+var path2 = __toESM(require("path"), 1);
+function parseRequirementsTxt(filePath) {
+  const absolutePath = path2.resolve(filePath);
+  if (!fs2.existsSync(absolutePath)) {
+    throw new Error(`File not found: ${absolutePath}`);
+  }
+  const content = fs2.readFileSync(absolutePath, "utf-8");
+  const lines = content.split("\n");
+  const dependencies = [];
+  for (const rawLine of lines) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+    if (line.startsWith("-")) {
+      continue;
+    }
+    if (line.includes("://") || line.startsWith("git+")) {
+      continue;
+    }
+    const parsed = parseRequirementLine(line);
+    if (parsed) {
+      dependencies.push({
+        name: parsed.name,
+        version: parsed.version,
+        type: "direct",
+        source: "pypi",
+        isDev: false
+        // requirements.txt doesn't distinguish
+      });
+    }
+  }
+  return dependencies;
+}
+function parseRequirementLine(line) {
+  const commentIndex = line.indexOf("#");
+  if (commentIndex !== -1) {
+    line = line.substring(0, commentIndex).trim();
+  }
+  if (!line) return null;
+  const markerIndex = line.indexOf(";");
+  if (markerIndex !== -1) {
+    line = line.substring(0, markerIndex).trim();
+  }
+  const match = line.match(/^([a-zA-Z0-9_-]+)(?:\[[^\]]+\])?\s*(.*)$/);
+  if (!match) {
+    return null;
+  }
+  const name = match[1];
+  let version = "*";
+  if (match[2]) {
+    const versionMatch = match[2].match(/[=~<>!]+\s*([0-9][0-9a-zA-Z.*-]*)/);
+    if (versionMatch) {
+      version = versionMatch[1];
+    }
+  }
+  return { name, version };
+}
+
+// src/parsers/index.ts
+var path3 = __toESM(require("path"), 1);
+function detectFileType(filePath) {
+  const basename3 = path3.basename(filePath).toLowerCase();
+  if (basename3 === "package.json") {
+    return "npm";
+  }
+  if (basename3 === "requirements.txt" || basename3.endsWith(".txt")) {
+    return "pypi";
+  }
+  return "unknown";
+}
+function parseDependencyFile(filePath) {
+  const fileType = detectFileType(filePath);
+  switch (fileType) {
+    case "npm":
+      return parsePackageJson(filePath);
+    case "pypi":
+      return parseRequirementsTxt(filePath);
+    default:
+      throw new Error(`Unsupported file type: ${path3.basename(filePath)}`);
+  }
+}
+
+// src/clients/npm-client.ts
+var import_axios = __toESM(require("axios"), 1);
+var NPM_REGISTRY_URL = "https://registry.npmjs.org";
+async function fetchNpmMetadata(packageName) {
+  try {
+    const response = await import_axios.default.get(
+      `${NPM_REGISTRY_URL}/${encodeURIComponent(packageName)}`,
+      {
+        timeout: 1e4,
+        headers: {
+          "Accept": "application/json"
+        }
+      }
+    );
+    const data = response.data;
+    const latestVersion = data["dist-tags"]?.latest || "";
+    let lastPublished = null;
+    if (data.time) {
+      const modifiedTime = data.time.modified || data.time[latestVersion];
+      if (modifiedTime) {
+        lastPublished = new Date(modifiedTime);
+      }
+    }
+    const maintainers = (data.maintainers || []).map((m) => ({
+      name: m.name,
+      email: m.email
+    }));
+    let repositoryUrl = null;
+    if (data.repository?.url) {
+      repositoryUrl = cleanGitUrl(data.repository.url);
+    }
+    return {
+      name: packageName,
+      version: latestVersion,
+      lastPublished,
+      maintainers,
+      license: data.license || null,
+      repositoryUrl,
+      homepage: data.homepage || null,
+      description: data.description || null
+    };
+  } catch (error) {
+    if (import_axios.default.isAxiosError(error)) {
+      if (error.response?.status === 404) {
+        throw new Error(`Package not found: ${packageName}`);
+      }
+      throw new Error(`Failed to fetch ${packageName}: ${error.message}`);
+    }
+    throw error;
+  }
+}
+function cleanGitUrl(url) {
+  return url.replace(/^git\+/, "").replace(/^git:\/\//, "https://").replace(/^ssh:\/\/git@/, "https://").replace(/\.git$/, "").replace(/git@github\.com:/, "https://github.com/");
+}
+
+// src/clients/pypi-client.ts
+var import_axios2 = __toESM(require("axios"), 1);
+var PYPI_API_URL = "https://pypi.org/pypi";
+async function fetchPyPIMetadata(packageName) {
+  try {
+    const response = await import_axios2.default.get(
+      `${PYPI_API_URL}/${encodeURIComponent(packageName)}/json`,
+      {
+        timeout: 1e4,
+        headers: {
+          "Accept": "application/json"
+        }
+      }
+    );
+    const data = response.data;
+    const info = data.info;
+    let lastPublished = null;
+    const latestVersion = info.version;
+    if (data.releases && data.releases[latestVersion]) {
+      const releases = data.releases[latestVersion];
+      if (releases.length > 0) {
+        lastPublished = new Date(releases[0].upload_time);
+      }
+    }
+    const maintainers = [];
+    if (info.maintainer) {
+      maintainers.push({
+        name: info.maintainer,
+        email: info.maintainer_email
+      });
+    } else if (info.author) {
+      maintainers.push({
+        name: info.author,
+        email: info.author_email
+      });
+    }
+    let repositoryUrl = null;
+    if (info.project_urls) {
+      repositoryUrl = info.project_urls["Source"] || info.project_urls["Repository"] || info.project_urls["Code"] || info.project_urls["GitHub"] || info.project_urls["Homepage"] || null;
+    }
+    return {
+      name: packageName,
+      version: latestVersion,
+      lastPublished,
+      maintainers,
+      license: info.license || null,
+      repositoryUrl,
+      homepage: info.home_page || null,
+      description: info.summary || null
+    };
+  } catch (error) {
+    if (import_axios2.default.isAxiosError(error)) {
+      if (error.response?.status === 404) {
+        throw new Error(`Package not found: ${packageName}`);
+      }
+      throw new Error(`Failed to fetch ${packageName}: ${error.message}`);
+    }
+    throw error;
+  }
+}
+
+// src/clients/github-client.ts
+var import_axios3 = __toESM(require("axios"), 1);
+var GITHUB_API_URL = "https://api.github.com";
+function parseGitHubUrl(url) {
+  const patterns = [
+    /github\.com[/:]([^/]+)\/([^/.\s]+)/
+  ];
+  for (const pattern of patterns) {
+    const match = url.match(pattern);
+    if (match) {
+      return {
+        owner: match[1],
+        repo: match[2].replace(/\.git$/, "")
+      };
+    }
+  }
+  return null;
+}
+async function fetchGitHubRepoHealth(repositoryUrl, token) {
+  const parsed = parseGitHubUrl(repositoryUrl);
+  if (!parsed) {
+    return null;
+  }
+  const { owner, repo } = parsed;
+  const headers = {
+    "Accept": "application/vnd.github.v3+json",
+    "User-Agent": "rot-detector-cli"
+  };
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  try {
+    const repoResponse = await import_axios3.default.get(
+      `${GITHUB_API_URL}/repos/${owner}/${repo}`,
+      { headers, timeout: 1e4 }
+    );
+    const repoData = repoResponse.data;
+    let lastCommitDate = null;
+    try {
+      const commitsResponse = await import_axios3.default.get(
+        `${GITHUB_API_URL}/repos/${owner}/${repo}/commits`,
+        { headers, timeout: 1e4, params: { per_page: 1 } }
+      );
+      if (commitsResponse.data.length > 0) {
+        lastCommitDate = new Date(commitsResponse.data[0].commit.committer.date);
+      }
+    } catch {
+    }
+    let contributorCount = 0;
+    try {
+      const contributorsResponse = await import_axios3.default.get(
+        `${GITHUB_API_URL}/repos/${owner}/${repo}/contributors`,
+        { headers, timeout: 1e4, params: { per_page: 1, anon: false } }
+      );
+      const linkHeader = contributorsResponse.headers["link"];
+      if (linkHeader) {
+        const match = linkHeader.match(/page=(\d+)>; rel="last"/);
+        if (match) {
+          contributorCount = parseInt(match[1], 10);
+        }
+      } else {
+        contributorCount = contributorsResponse.data.length;
+      }
+    } catch {
+    }
+    return {
+      lastCommitDate,
+      contributorCount,
+      openIssues: repoData.open_issues_count || 0,
+      stars: repoData.stargazers_count || 0,
+      isArchived: repoData.archived || false
+    };
+  } catch (error) {
+    if (import_axios3.default.isAxiosError(error)) {
+      if (error.response?.status === 403) {
+        console.warn("GitHub API rate limit reached. Consider using --github-token");
+        return null;
+      }
+      if (error.response?.status === 404) {
+        return null;
+      }
+    }
+    return null;
+  }
+}
+
+// src/analyzer/health-scorer.ts
+var OSI_APPROVED_LICENSES = /* @__PURE__ */ new Set([
+  "MIT",
+  "Apache-2.0",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "ISC",
+  "MPL-2.0",
+  "GPL-3.0",
+  "GPL-3.0-only",
+  "GPL-3.0-or-later",
+  "LGPL-3.0",
+  "LGPL-3.0-only",
+  "LGPL-3.0-or-later",
+  "AGPL-3.0",
+  "Unlicense",
+  "0BSD",
+  "CC0-1.0",
+  "Zlib",
+  "Artistic-2.0",
+  "EPL-2.0",
+  "EUPL-1.2"
+]);
+var DEPRECATED_LICENSES = /* @__PURE__ */ new Set([
+  "GPL-2.0",
+  "LGPL-2.0",
+  "LGPL-2.1",
+  "BSD-4-Clause",
+  "WTFPL"
+]);
+var WEIGHTS = {
+  freshness: 0.4,
+  maintainers: 0.3,
+  license: 0.3
+};
+function calculateHealthScore(metadata, githubHealth) {
+  const freshness = calculateFreshnessScore(metadata, githubHealth);
+  const maintainerHealth = calculateMaintainerScore(metadata, githubHealth);
+  const licenseHealth = calculateLicenseScore(metadata);
+  const overall = Math.round(
+    freshness.score * WEIGHTS.freshness + maintainerHealth.score * WEIGHTS.maintainers + licenseHealth.score * WEIGHTS.license
+  );
+  return {
+    overall,
+    freshness,
+    maintainerHealth,
+    licenseHealth
+  };
+}
+function calculateFreshnessScore(metadata, githubHealth) {
+  const lastUpdate = githubHealth?.lastCommitDate || metadata.lastPublished;
+  if (!lastUpdate) {
+    return {
+      score: 50,
+      // Unknown, give benefit of doubt
+      lastUpdate: null,
+      daysSinceUpdate: null,
+      status: "unknown"
+    };
+  }
+  const now = /* @__PURE__ */ new Date();
+  const daysSinceUpdate = Math.floor(
+    (now.getTime() - lastUpdate.getTime()) / (1e3 * 60 * 60 * 24)
+  );
+  let score;
+  let status;
+  if (daysSinceUpdate < 180) {
+    score = 100;
+    status = "active";
+  } else if (daysSinceUpdate < 365) {
+    score = 75;
+    status = "active";
+  } else if (daysSinceUpdate < 730) {
+    score = 40;
+    status = "stale";
+  } else if (daysSinceUpdate < 1095) {
+    score = 20;
+    status = "abandoned";
+  } else {
+    score = 5;
+    status = "abandoned";
+  }
+  if (githubHealth?.isArchived) {
+    score = Math.min(score, 10);
+    status = "abandoned";
+  }
+  return {
+    score,
+    lastUpdate,
+    daysSinceUpdate,
+    status
+  };
+}
+function calculateMaintainerScore(metadata, githubHealth) {
+  const count = githubHealth?.contributorCount || metadata.maintainers.length;
+  let score;
+  let status;
+  if (count >= 5) {
+    score = 100;
+    status = "healthy";
+  } else if (count >= 3) {
+    score = 85;
+    status = "healthy";
+  } else if (count === 2) {
+    score = 70;
+    status = "warning";
+  } else if (count === 1) {
+    score = 40;
+    status = "warning";
+  } else {
+    score = 10;
+    status = "critical";
+  }
+  return {
+    score,
+    count,
+    status
+  };
+}
+function calculateLicenseScore(metadata) {
+  const license = metadata.license;
+  if (!license) {
+    return {
+      score: 30,
+      license: null,
+      status: "unknown"
+    };
+  }
+  const normalizedLicense = license.toUpperCase().replace(/\s+/g, "-");
+  for (const deprecated of DEPRECATED_LICENSES) {
+    if (normalizedLicense.includes(deprecated.toUpperCase())) {
+      return {
+        score: 50,
+        license,
+        status: "deprecated"
+      };
+    }
+  }
+  for (const approved of OSI_APPROVED_LICENSES) {
+    if (normalizedLicense.includes(approved.toUpperCase())) {
+      return {
+        score: 100,
+        license,
+        status: "approved"
+      };
+    }
+  }
+  return {
+    score: 60,
+    license,
+    status: "warning"
+  };
+}
+function formatDaysSinceUpdate(days) {
+  if (days === null) return "Unknown";
+  if (days < 1) return "Today";
+  if (days === 1) return "1 day ago";
+  if (days < 30) return `${days} days ago`;
+  if (days < 60) return "1 month ago";
+  if (days < 365) return `${Math.floor(days / 30)} months ago`;
+  if (days < 730) return "1 year ago";
+  return `${Math.floor(days / 365)} years ago`;
+}
+
+// src/cli/reporter.ts
+var import_chalk = __toESM(require("chalk"), 1);
+var import_cli_table3 = __toESM(require("cli-table3"), 1);
+
+// src/types/index.ts
+function getRiskLevel(score) {
+  if (score === null) return "unknown";
+  if (score >= 80) return "healthy";
+  if (score >= 50) return "warning";
+  return "critical";
+}
+
+// src/cli/reporter.ts
+function printReport(result, verbose = false) {
+  console.log("\n");
+  console.log(import_chalk.default.bold.cyan("\u{1F9DF} Dependency Rot Detector"));
+  console.log(import_chalk.default.gray(`Scanned: ${result.file}`));
+  console.log(import_chalk.default.gray(`Source: ${result.source.toUpperCase()}`));
+  console.log(import_chalk.default.gray(`Time: ${result.scannedAt.toISOString()}`));
+  console.log("\n");
+  const table = new import_cli_table3.default({
+    head: [
+      import_chalk.default.white.bold("Package"),
+      import_chalk.default.white.bold("Score"),
+      import_chalk.default.white.bold("Last Update"),
+      import_chalk.default.white.bold("Maintainers"),
+      import_chalk.default.white.bold("License"),
+      import_chalk.default.white.bold("Status")
+    ],
+    colWidths: [30, 8, 16, 13, 15, 12],
+    style: {
+      head: [],
+      border: ["gray"]
+    }
+  });
+  const sorted = [...result.dependencies].sort((a, b) => {
+    const scoreA = a.health?.overall ?? 999;
+    const scoreB = b.health?.overall ?? 999;
+    return scoreA - scoreB;
+  });
+  for (const dep of sorted) {
+    const row = formatDependencyRow(dep, verbose);
+    table.push(row);
+  }
+  console.log(table.toString());
+  console.log("\n");
+  printSummary(result);
+}
+function formatDependencyRow(dep, verbose) {
+  if (dep.error) {
+    return [
+      import_chalk.default.gray(dep.dependency.name),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.red("Error")
+    ];
+  }
+  if (!dep.health) {
+    return [
+      import_chalk.default.gray(dep.dependency.name),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.gray("\u2014"),
+      import_chalk.default.yellow("Unknown")
+    ];
+  }
+  const score = dep.health.overall;
+  const risk = getRiskLevel(score);
+  let scoreStr;
+  let statusStr;
+  let statusEmoji;
+  switch (risk) {
+    case "healthy":
+      scoreStr = import_chalk.default.green.bold(score.toString());
+      statusStr = import_chalk.default.green("Healthy");
+      statusEmoji = "\u{1F7E2}";
+      break;
+    case "warning":
+      scoreStr = import_chalk.default.yellow.bold(score.toString());
+      statusStr = import_chalk.default.yellow("Warning");
+      statusEmoji = "\u{1F7E1}";
+      break;
+    case "critical":
+      scoreStr = import_chalk.default.red.bold(score.toString());
+      statusStr = import_chalk.default.red("Critical");
+      statusEmoji = "\u{1F534}";
+      break;
+    default:
+      scoreStr = import_chalk.default.gray(score.toString());
+      statusStr = import_chalk.default.gray("Unknown");
+      statusEmoji = "\u26AA";
+  }
+  const lastUpdate = formatDaysSinceUpdate(dep.health.freshness.daysSinceUpdate);
+  let lastUpdateStr;
+  if (dep.health.freshness.status === "abandoned") {
+    lastUpdateStr = import_chalk.default.red(lastUpdate);
+  } else if (dep.health.freshness.status === "stale") {
+    lastUpdateStr = import_chalk.default.yellow(lastUpdate);
+  } else {
+    lastUpdateStr = import_chalk.default.green(lastUpdate);
+  }
+  const maintainerCount = dep.health.maintainerHealth.count;
+  let maintainerStr;
+  if (maintainerCount >= 3) {
+    maintainerStr = import_chalk.default.green(maintainerCount.toString());
+  } else if (maintainerCount >= 2) {
+    maintainerStr = import_chalk.default.yellow(maintainerCount.toString());
+  } else {
+    maintainerStr = import_chalk.default.red(maintainerCount.toString());
+  }
+  const license = dep.health.licenseHealth.license || "Unknown";
+  let licenseStr;
+  if (dep.health.licenseHealth.status === "approved") {
+    licenseStr = import_chalk.default.green(truncate(license, 13));
+  } else if (dep.health.licenseHealth.status === "deprecated") {
+    licenseStr = import_chalk.default.red(truncate(license, 13));
+  } else {
+    licenseStr = import_chalk.default.yellow(truncate(license, 13));
+  }
+  let pkgName = dep.dependency.name;
+  if (dep.dependency.isDev) {
+    pkgName = import_chalk.default.gray(`${pkgName} (dev)`);
+  }
+  return [
+    truncate(pkgName, 28),
+    `${statusEmoji} ${scoreStr}`,
+    lastUpdateStr,
+    maintainerStr,
+    licenseStr,
+    statusStr
+  ];
+}
+function printSummary(result) {
+  const { summary } = result;
+  console.log(import_chalk.default.bold("Summary"));
+  console.log(import_chalk.default.gray("\u2500".repeat(50)));
+  const total = import_chalk.default.white.bold(summary.total.toString());
+  const healthy = import_chalk.default.green.bold(summary.healthy.toString());
+  const warning = import_chalk.default.yellow.bold(summary.warning.toString());
+  const critical = import_chalk.default.red.bold(summary.critical.toString());
+  const failed = import_chalk.default.gray.bold(summary.failed.toString());
+  console.log(`  Total packages: ${total}`);
+  console.log(`  \u{1F7E2} Healthy (80-100): ${healthy}`);
+  console.log(`  \u{1F7E1} Warning (50-79):  ${warning}`);
+  console.log(`  \u{1F534} Critical (0-49):  ${critical}`);
+  if (summary.failed > 0) {
+    console.log(`  \u26AA Failed to check:  ${failed}`);
+  }
+  console.log("\n");
+  if (summary.critical > 0) {
+    console.log(import_chalk.default.red.bold("\u26A0\uFE0F  Action Required!"));
+    console.log(import_chalk.default.red("Some dependencies are critical and should be reviewed or replaced."));
+  } else if (summary.warning > 0) {
+    console.log(import_chalk.default.yellow("\u{1F4CB} Some dependencies could use attention."));
+  } else {
+    console.log(import_chalk.default.green("\u2705 All dependencies look healthy!"));
+  }
+  console.log("\n");
+}
+function printJsonReport(result) {
+  const jsonResult = {
+    ...result,
+    scannedAt: result.scannedAt.toISOString(),
+    dependencies: result.dependencies.map((dep) => ({
+      ...dep,
+      metadata: dep.metadata ? {
+        ...dep.metadata,
+        lastPublished: dep.metadata.lastPublished?.toISOString() || null
+      } : null,
+      health: dep.health ? {
+        ...dep.health,
+        freshness: {
+          ...dep.health.freshness,
+          lastUpdate: dep.health.freshness.lastUpdate?.toISOString() || null
+        }
+      } : null
+    }))
+  };
+  console.log(JSON.stringify(jsonResult, null, 2));
+}
+function truncate(str, maxLen) {
+  if (str.length <= maxLen) return str;
+  return str.substring(0, maxLen - 1) + "\u2026";
+}
+
+// src/cli/index.ts
+var program = new import_commander.Command();
+program.name("rot-detector").description("\u{1F9DF} Detect dependency rot in your projects").version("1.0.0");
+program.command("scan").description("Scan a dependency file for software rot").argument("[path]", "Path to package.json or requirements.txt", ".").option("--json", "Output results as JSON").option("--threshold <score>", "Fail if any dependency scores below this threshold", "0").option("--github-token <token>", "GitHub token for enhanced repo analysis").option("--no-github", "Skip GitHub repository analysis").option("--dev", "Include dev dependencies in analysis").option("-v, --verbose", "Show verbose output").action(async (inputPath, options) => {
+  try {
+    await runScan(inputPath, options);
+  } catch (error) {
+    console.error(import_chalk2.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+});
+async function runScan(inputPath, options) {
+  let filePath = path4.resolve(inputPath);
+  if (fs3.existsSync(filePath) && fs3.statSync(filePath).isDirectory()) {
+    if (fs3.existsSync(path4.join(filePath, "package.json"))) {
+      filePath = path4.join(filePath, "package.json");
+    } else if (fs3.existsSync(path4.join(filePath, "requirements.txt"))) {
+      filePath = path4.join(filePath, "requirements.txt");
+    } else {
+      throw new Error("No package.json or requirements.txt found in directory");
+    }
+  }
+  if (!fs3.existsSync(filePath)) {
+    throw new Error(`File not found: ${filePath}`);
+  }
+  const fileType = detectFileType(filePath);
+  if (fileType === "unknown") {
+    throw new Error(`Unsupported file type: ${path4.basename(filePath)}`);
+  }
+  const spinner = (0, import_ora.default)("Parsing dependencies...").start();
+  let dependencies;
+  try {
+    dependencies = parseDependencyFile(filePath);
+  } catch (error) {
+    spinner.fail("Failed to parse dependencies");
+    throw error;
+  }
+  if (!options.dev && fileType === "npm") {
+    dependencies = dependencies.filter((d) => !d.isDev);
+  }
+  spinner.succeed(`Found ${dependencies.length} dependencies`);
+  const analyses = [];
+  const analyzeSpinner = (0, import_ora.default)("Analyzing dependencies...").start();
+  for (let i = 0; i < dependencies.length; i++) {
+    const dep = dependencies[i];
+    analyzeSpinner.text = `Analyzing ${dep.name} (${i + 1}/${dependencies.length})...`;
+    try {
+      let metadata;
+      if (dep.source === "npm") {
+        metadata = await fetchNpmMetadata(dep.name);
+      } else if (dep.source === "pypi") {
+        metadata = await fetchPyPIMetadata(dep.name);
+      } else {
+        throw new Error(`Unsupported source: ${dep.source}`);
+      }
+      let githubHealth = null;
+      if (options.github !== false && metadata.repositoryUrl) {
+        githubHealth = await fetchGitHubRepoHealth(
+          metadata.repositoryUrl,
+          options.githubToken
+        );
+      }
+      const health = calculateHealthScore(metadata, githubHealth);
+      analyses.push({
+        dependency: dep,
+        metadata,
+        health
+      });
+    } catch (error) {
+      analyses.push({
+        dependency: dep,
+        metadata: null,
+        health: null,
+        error: error.message
+      });
+    }
+    await sleep(100);
+  }
+  analyzeSpinner.succeed("Analysis complete");
+  const summary = {
+    total: analyses.length,
+    healthy: analyses.filter((a) => getRiskLevel(a.health?.overall ?? null) === "healthy").length,
+    warning: analyses.filter((a) => getRiskLevel(a.health?.overall ?? null) === "warning").length,
+    critical: analyses.filter((a) => getRiskLevel(a.health?.overall ?? null) === "critical").length,
+    failed: analyses.filter((a) => a.error !== void 0).length
+  };
+  const result = {
+    file: filePath,
+    source: fileType,
+    scannedAt: /* @__PURE__ */ new Date(),
+    dependencies: analyses,
+    summary
+  };
+  if (options.json) {
+    printJsonReport(result);
+  } else {
+    printReport(result, options.verbose);
+  }
+  const threshold = parseInt(options.threshold || "0", 10);
+  if (threshold > 0) {
+    const belowThreshold = analyses.filter(
+      (a) => a.health && a.health.overall < threshold
+    );
+    if (belowThreshold.length > 0) {
+      console.error(
+        import_chalk2.default.red(`
+\u274C ${belowThreshold.length} dependencies scored below threshold of ${threshold}`)
+      );
+      process.exit(1);
+    }
+  }
+}
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+program.parse();

package/dist/index.d.cts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "rot-detector",
+  "version": "1.0.0",
+  "description": "🧟 CLI tool to detect dependency rot in your projects - find abandoned, unmaintained dependencies",
+  "main": "dist/index.cjs",
+  "bin": {
+    "rot-detector": "dist/index.cjs"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/notsointresting/rot-detector"
+  },
+  "homepage": "https://github.com/notsointresting/rot-detector#readme",
+  "bugs": {
+    "url": "https://github.com/notsointresting/rot-detector/issues"
+  },
+  "scripts": {
+    "build": "tsup src/cli/index.ts --format cjs --dts --clean",
+    "dev": "tsx src/cli/index.ts",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "eslint src --ext .ts"
+  },
+  "keywords": [
+    "dependency",
+    "security",
+    "audit",
+    "npm",
+    "pypi",
+    "supply-chain"
+  ],
+  "author": "",
+  "license": "MIT",
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "tsup": "^8.0.1",
+    "tsx": "^4.7.0",
+    "typescript": "^5.3.3",
+    "vitest": "^1.1.0"
+  },
+  "dependencies": {
+    "axios": "^1.6.3",
+    "chalk": "^5.3.0",
+    "commander": "^11.1.0",
+    "cli-table3": "^0.6.3",
+    "ora": "^8.0.1"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "type": "module"
+}