Deadpendency Configuration


See a detailed example of using Deadpendency.


Configuration is done by including a .github/deadpendency.yaml file in your GitHub repository source. This file is optional.

Additional Dependency Files

In some cases you have additional, or different dependency files to load than the default ones. The file name may contain wildcards *, however globbing or wildcards in the path are not supported at this time.

  - type: pip-requirements-txt
    path: other-dependencies.txt

  - type: pipenv-pipfile
    path: custom/CustomPipfile

  - type: npm-package-json
    path: frontend/app1/configuration/package-*.json
File Types

  • JavaScript Npm Package File - npm-package-json
  • Python Pip Requirements File - pip-requirements-txt
  • Python Setup Py File - python-setup-py
  • Python Pipenv Pipfile - pipenv-pipfile
  • Python Pyproject File - pyproject-toml
  • PHP Packagist Compose File - packagist-composer-json
  • Ruby Bundler Gemfile - bundler-gemfile
  • Ruby Gemspec - rubygems-gemspec
  • Haskell Cabal File - haskell-cabal
  • Haskell Hpack File - hpack-package-yaml
  • Rust Crates Cargo File - crates-cargo-toml
  • C# .NET Project File - dotnet-csharp-project
  • Visual Basic .NET Project File - dotnet-visualbasic-project
  • Maven Pom Xml File - maven-pom-xml
  • Build Gradle File - build-gradle
  • Go Module File - go-mod

Disable Automatic Dependency File Load

Deadpendency will search for dependency files based on the top 2 languages used in a repository. However, in some cases it may find dependency files which you do not wish to load. They may be non-critical or transitive and so you are not concerned if they have project health issues.

In this case, you can disable the automatic dependency file search and load.

disable-auto-file-load: true

Alternatively, you can disable it just for specific languages.

  - javascript

Additional Dependencies

Useful when there are specific additional dependencies you want to be checked that are missing from your dependency files. Or for some reason Deadpendency is not detecting them.

If you provide a dependency as additional AND that dependency is found in your dependency files, the additional dependency will take precedence. This means you can provide a different source repository if required.

    # additional deps found in the package registry
    - react
    - react-dom

    # direct repository dependencies
    - repo: jquery/jquery
    # name can be included so Deadpendency can load the package details in the registry
    - name: random-on-github
      repo: some-org/super-random

    # java names are represented by 'groupId/artifactId'
    - org.hibernate/hibernate-core

  # unsupported languages can still have additional repository dependencies
    - name: cool-dep
      repo: cool/dep

Language Keywords

  • javascript
  • typescript
  • php
  • python
  • ruby
  • haskell
  • rust
  • csharp
  • visualbasic
  • java
  • kotlin
  • golang

Ignore Dependencies

Useful when you choose to depend on an unhealthy dependency.

    # programming language is needed because dependency names can overlap between languages
      - react-dom
      - angular

      # namespaced dependencies can be ignored in the format of 'namespace/package-name'
      # see the additional dependencies documentation above for more info on
      # language nuances around package names
      - org.hibernate/hibernate-core

When programming languages have the same package registry, ignoring in one language will ignore for all languages. For example, if you ignore react in javascript, it will also ignore react in typescript.

Configure Deadpendency checks

Each language ecosystem is different. What might be considered unhealthy for a JavaScript dependency may be fine in a more niche language.

The default config
    warn-at-months: 18
    fail-at-months: 24
    warn-at-months: 12
    fail-at-months: 18
    warn-at-count: 2
    fail-at-count: disabled # does not fail by default

  # these can be 'disabled', 'warn' or 'fail'
  repository-archived: fail
  repository-is-fork: warn
  package-deprecated: fail
  single-recent-author: warn
  repository-not-identified: warn
  repository-not-found: warn
Customize the config

Unless a rules-config is provided, the defaults above are used. Settings can be overridden as per the below example.

    warn-at-months: 6
    # fail-at-months: 24  - omitted to use the default
    warn-at-months: 3
    fail-at-months: disabled # disable the failure threshhold

  few-yearly-commits: disabled # or an entire check can be disabled

  single-recent-author: disabled # disable this check too

  repository-is-fork: fail # this warns by default, but we want it to fail instead

Note: the defaults may be adjusted from time to time.

See rules for detailed information on rules and defaults.