Production-ready CLI to detect stale npm dependencies, score risk, and provide migration guidance.
Project description
CodeFossil
CodeFossil is a production-ready Python CLI that scans JavaScript projects for stale npm dependencies, assigns risk scores, and optionally adds AI migration guidance for the highest-risk packages.
What it does
- Scans npm
dependenciesand (optionally)devDependencies - Queries registry metadata to estimate dependency freshness
- Assigns a deterministic risk score based on update age
- Supports rich terminal table output plus machine-friendly JSON and Markdown reports
- Supports incremental analysis via local cache (
.codefossil_cache.json) - Optionally enriches top-risk dependencies with AI advice (
openai,anthropic,groq)
Installation
Standard install
pip install .
Editable install for development
python -m venv .venv
source .venv/bin/activate
pip install -e .[dev]
Usage
Basic scan
codefossil scan .
Common flags
--format table|json|markdown--output <file>--min-risk <int>--include-dev--incremental--ai-provider openai|anthropic|groq--api-key <key>--ai-top <int>
Examples
# JSON output
codefossil scan . --format json
# Markdown report with filtering
codefossil scan . --format markdown --output report.md --include-dev --min-risk 50
# Incremental analysis
codefossil scan . --incremental
# AI advice for top 5 risky dependencies
codefossil scan . --ai-provider openai --api-key sk-xxx --ai-top 5 --format markdown
AI feature (optional)
When --ai-provider and --api-key are supplied, CodeFossil asks the provider for migration guidance for the top --ai-top risky dependencies. If provider calls fail, scanning continues and warnings are emitted.
No API keys are persisted to disk.
Output schema
Each dependency result includes:
nameversionlast_update_yearsrisk_scorerisk_label(HIGH,MEDIUM,LOW)ai_advice(optional)
Risk scoring model
>= 5years:90>= 3years:70>= 2years:50>= 1year:30< 1year:10
Development
pip install -e .[dev]
pytest
ruff check .
black --check .
mypy codefossil
A sample manifest is available at examples/package.sample.json for manual testing.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file codefossil-0.1.3.tar.gz.
File metadata
- Download URL: codefossil-0.1.3.tar.gz
- Upload date:
- Size: 13.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fcf2fd7a9ed9d4ebff6e08ed8a0fb128551a9b7528aac36ba45946ef9aff8575
|
|
| MD5 |
60add36c37fbab3fa3d90833860a2fd7
|
|
| BLAKE2b-256 |
16319c52b7e582c71d74a29ef1133365eaacb77fdb1ec5c3684e91d29fb317ff
|
File details
Details for the file codefossil-0.1.3-py3-none-any.whl.
File metadata
- Download URL: codefossil-0.1.3-py3-none-any.whl
- Upload date:
- Size: 15.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f738818dec240419ab8a3887f1a3eb43fe6cc231061a7c29b132707cf62521d1
|
|
| MD5 |
e653e0d7e06833a296789e0e8eafb4ae
|
|
| BLAKE2b-256 |
24cf8abbc040e4fe224ba59cc58d2c08f29d866dcffe9162f91df40f2446f2b9
|
