Deadpendency Configuration

Example

See a detailed example of using Deadpendency.

Configuration

Configuration is done by including a .deadpendency/config.yaml file in your GitHub repository source. This file is optional.

Additional Dependency Files

In some cases you have additional, or different dependency files to load than the default ones.

additional-dependency-files:
  - type: pip-requirements-txt
    path: other-dependencies.txt

  - type: pipenv-pipfile
    path: custom/CustomPipfile
File Types

  • JavaScript Npm Package File - npm-package-json
  • Python Pip Requirements File - pip-requirements-txt
  • Python Setup Py File - python-setup-py
  • Python Pipenv Pipfile - pipenv-pipfile
  • Python Pyproject File - pyproject-toml
  • PHP Packagist Compose File - packagist-composer-json
  • Ruby Bundler Gemfile - bundler-gemfile
  • Ruby Gemspec - rubygems-gemspec
  • Haskell Cabal File - haskell-cabal
  • Haskell Hpack File - hpack-package-yaml
  • Rust Crates Cargo File - crates-cargo-toml
  • C# .NET Project File - dotnet-csharp-project
  • Visual Basic .NET Project File - dotnet-visualbasic-project
  • Maven Pom Xml File - maven-pom-xml
  • Build Gradle File - build-gradle
  • Go Module File - go-mod

Additional Dependencies

Useful when there are specific additional dependencies you want to be checked that are missing from your dependency files. Or for some reason Deadpendency is not detecting them.

If you provide a dependency as additional AND that dependency is found in your dependency files, the additional dependency will take precedence. This means you can provide a different repository if required.

additional-deps:
  javascript:
    # additional deps found in the package registry
    - react
    - react-dom

    # direct repository dependencies
    - repo: jquery/jquery
    # name can be included so Deadpendency can load the package details in the registry
    - name: random-on-github
      repo: some-org/super-random

  java:
    # java names are represented by 'groupId/artifactId'
    - org.hibernate/hibernate-core

  # unsupported languages can still have additional repository dependencies
  cool-lang:
    - name: cool-dep
      repo: cool/dep

Language Keywords

  • javascript
  • typescript
  • php
  • python
  • ruby
  • haskell
  • rust
  • csharp
  • visualbasic
  • java
  • kotlin
  • golang

Ignore Dependencies

Useful when you choose to depend on an unhealthy dependency.

ignore-failures:
    # programming language is needed because dependency names can overlap between languages
    javascript:
      - react-dom
      - angular

    java:
      # namespaced dependencies can be ignored in the format of 'namespace/package-name'
      # see the additional dependencies documentation above for more info on language nuances around package names
      - org.hibernate/hibernate-core

When programming languages have the same package registry, ignoring in one language will ignore for all languages. For example, if you ignore react in javascript, it will also ignore react in typescript.

Configure Deadpendency checks

Each language ecosystem is different. What might be considered unhealthy for a JavaScript dependency may be fine in a more niche language.

The default config
rules-config:
  no-recent-package-release:
    warn-at-months: 18
    fail-at-months: 24
  no-recent-commit:
    warn-at-months: 12
    fail-at-months: 18
  few-yearly-commits:
    warn-at-count: 2
    fail-at-count: disabled # does not fail by default

  # these can be 'disabled', 'warn' or 'fail'
  repository-archived: fail
  repository-is-fork: warn
  package-deprecated: fail
  single-recent-author: warn
  repository-not-identified: warn
  repository-not-found: warn
Customize the config

Unless a rules-config is provided, the defaults above are used. Settings can be overridden as per the below example.

rules-config:
  no-recent-package-release:
    warn-at-months: 6
    # fail-at-months: 24  - omitted to use the default
  no-recent-commit:
    warn-at-months: 3
    fail-at-months: disabled # disable the failure threshhold

  few-yearly-commits: disabled # or an entire check can be disabled

  single-recent-author: disabled # disable this check too

  repository-is-fork: fail # this warns by default, but we want it to fail instead

Note: the defaults may be adjusted from time to time.

See rules for detailed information on rules and defaults.