I built a dependency health scanner in a day. Here's what I shipped and what I cut.

A few weeks back I inherited an old Node.js project and spent half a day grepping package.json trying to figure out which libraries were still alive. npm outdated told me which versions had updates. npm audit told me about CVEs. Neither told me what I actually needed to know: which of these packages have been quietly abandoned and what the community moved to.

So this past week I built one. It's called stack-rot, it's written in Python, and it's now on PyPI: pip install stack-rot.

This post is about what I shipped, what I cut, and the one decision that mattered more than the code.

What it does

Point it at a package.json and it tells you which dependencies are:

I built a dependency health scanner in a day. Here's what I shipped and what I cut.

Other newsrooms on this story

Related reading

Why your Anthropic prompt caching probably isn't working (and the npm package I…

Shai-Hulud keeps burrowing: 314 npm packages infected after another account…

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Cache-poisoning caper turns TanStack npm packages toxic

AI fixed how fast I can build. It broke how I know what I'm building.

New Shai-Hulud malware wave compromises 600 npm packages