v0.7.0

v0.7.0 — Graph UX upgrades, CLI ergonomics & release hardening

v0.7.0 focuses on improving day-to-day usability of dependency-radar across the report UI, CLI, and release workflow.

This release makes the graph view feel significantly more interactive, introduces new CLI capabilities for targeted inspection and CI usage, and adds stronger guarantees around release compatibility.

---

🕸️ Graph interaction & UX improvements

The graph view has been significantly refined:

• Smooth inertial panning with kinetic scrolling
• Bounded panning and wider zoom-out limits
• Stronger render layering so selected nodes stay visually on top
• Reduced-motion support for accessibility

Label handling improvements:

• Truncated labels with progressive expansion
• Animated label reveal on focused paths
• Improved handling of long package names

Navigation and layout:

• Workspace selector ordering now promotes Workspace root
• Improved overlay layout and control positioning
• More consistent and responsive graph container behaviour

These changes make the graph easier to navigate, more readable, and more stable when working with large dependency trees.

---

🖥️ Report navigation & list view improvements

• Dependency scrolling now aligns items just below the sticky filter bar
• Consistent scroll behaviour between:
  • Graph → List navigation
  • In-list dependency linking
• Reduced noise in dependency details:
  • Root/provenance fields hidden for direct dependencies where redundant

These changes improve readability and reduce friction when inspecting dependencies.

---

🧠 New CLI capabilities

dependency-radar explain <package>

• Prints detailed insights for a single dependency directly in the terminal
• Includes:
  • versions
  • vulnerabilities
  • license information
  • upgrade blockers
• Exits non-zero if the package is not found

Useful for quick inspection without opening the full report.

---

--quiet mode

• Suppresses scan progress, browser opening, and footer output
• Still prints:
  • final summary
  • policy failures

Designed for CI and scripting workflows.

---

🧪 Release validation & Node compatibility

• Added Docker-based smoke test for Node 14.21.3
• Validates:
  • packaged artifact
  • installation
  • scan execution
  • report generation
• Integrated into release workflow

Node 14.21.3 is now the oldest Docker-verified runtime.

---

📚 Documentation updates

• Expanded README with:
  • explain command usage
  • --quiet mode examples
  • CI usage guidance
  • Report UI development workflow
  • Docker smoke test process
• Clarified Node.js compatibility expectations
• Improved CLI output wording and terminology consistency
• Expanded privacy documentation around collected environment data

---

🎨 Visual & styling updates

• Updated editor/theme palette (lighter green/teal)
• Refined graph overlays, controls, and animations
• Minor layout and formatting improvements

---

🧪 Tests & reliability

• Added regression coverage for:
  • explain command
  • quiet mode behaviour
  • CLI output flows
• Added Docker and packaging tests for release validation
• Updated sample data for long-name and workspace scenarios

---

This release does not introduce breaking changes but significantly improves usability across the CLI and report UI.

Feedback, especially on the graph interaction and CLI workflows, is very welcome.

v0.6.1

v0.6.1 — pnpm peer fix & graph interaction polish

v0.6.1 is a focused patch release addressing a pnpm peer dependency edge case and refining graph interaction behaviour.

---

🐛 Bug fixes

• Prevented peerDependencies ranges from overwriting already-resolved dependencies when building the pnpm dependency graph
• Ensured resolved nodes are preserved when peer ranges declare the same package

This fixes an issue where certain pnpm peer configurations could alter the resulting dependency tree incorrectly.

---

🕸️ Graph interaction improvements

• More consistent hover and clickable states
• Hover state now clears correctly on end events
• Pointer cursor for clickable nodes
• Grab cursor while panning (mouse and touch)

These changes improve interaction clarity and responsiveness in the graph view.

---

🧪 Tests

• Added regression test covering pnpm peer ranges that declare the same package as a resolved dependency

---

No changes to CLI flags, report schema, or policy behaviour were introduced in this release.

v0.6.0

v0.6.0 — Interactive Graph, CI Policy Enforcement & Path-Aware Analysis

v0.6.0 is a major feature release introducing an interactive dependency graph, CI policy enforcement, and deeper lockfile-aware analysis.

This release significantly expands dependency-radar from a static report generator into a richer inspection and automation tool.

---

🕸️ Interactive dependency graph

The HTML report now includes a fully interactive graph view.

Features include:

• Zoom (wheel + modifiers), pan, and reset controls
• Touch support (pinch-to-zoom and drag pan)
• Animated layered layout
• Workspace-scoped graphs
• Lazy initialization with canvas fallback
• Toggle between List and Graph views
• “Back to List” and responsive redraw on resize/theme changes

Enhanced visuals:

• Vulnerability rings with multi-level indicators
• Hover/focus highlighting with ancestor/descendant propagation
• Advanced routed edges with detours and depth-aware drawing
• Edge highlight states and occlusion shading
• Animated node sizing
• Per-node radial gradients and theme-aware styling
• Graph legend and D-pad pan/zoom controls
• Workspace selector

The graph is designed to scale to large dependency trees while remaining readable and interactive.

---

📂 Installation path awareness

Dependency trees now include resolved installation path information for:

• Direct dependencies
• Nested/transitive dependencies

Benefits:

• Improved visibility into where packages are physically installed
• Better pnpm workspace inspection
• Protection against lockfile path traversal attempts (ignored during parsing)

---

🔐 Lockfile parsing hardening

• More robust lockfile parsing utilities
• Improved handling of varied lockfile formats and selector styles
• Additional validation around root package manifest policies
• Expanded tests for lockfile boundary cases

This further strengthens the lockfile-first analysis model introduced in v0.5.0.

---

🧪 CI policy enforcement (--fail-on)

dependency-radar can now be used in CI pipelines to enforce policy rules.

New CLI options:

• --fail-on (selectable policy rules)
• --no-report (run analysis without generating HTML/JSON output)

Behavior:

• CLI exits non-zero when configured policy violations occur
• Structured per-run summary output
• Colorized status lines
• Textual summaries when reporting is disabled
• Temporary/output file writes can be skipped when reports are suppressed

This enables dependency-radar to function as an automated compliance gate in CI environments.

---

🖥️ Improved CLI workflow

• Structured run summary output
• Clear exit-code semantics
• Better handling of report suppression modes
• Improved output shaping when JSON/HTML artifacts are disabled

---

🎨 Report UI refinements

• Workspace switching in graph view
• Improved node/edge highlighting and interaction states
• Refined fit/zoom behavior
• Refreshed responsive layout and theme support
• Expanded visual polish across overlays and controls

---

📚 Documentation overhaul

The README has been completely redesigned and expanded:

• Visual walkthroughs and screenshots
• “What you get” and “When should you use this?” sections
• Expanded CLI reference and CI policy examples
• Package manager support notes
• JSON schema reference
• Offline usage, temporary file, and debugging guidance
• Development and report UI guides
• Concise Dependency Radar Agent Notes for contributors

---

🧰 Tooling updates

• Updated development tooling
• Project package manager pin switched to npm
• Removed legacy lockfile/yaml packages
• Expanded fixture coverage and test orchestration scripts

---

This release introduces substantial new capabilities but remains backward-compatible at the CLI level.
Report outputs may differ due to enhanced graph rendering and path-aware analysis.

Feedback, edge cases, and CI integration reports are welcome.

v0.5.1

v0.5.1 — Optional dependency filtering & JSON write fix

v0.5.1 is a small patch release addressing edge cases in npm dependency handling and large report output.

---

🐛 Bug fixes

• JSON output now gracefully handles large data structures by falling back to compact formatting when necessary
• npm dependency trees no longer include uninstalled optional platform-specific packages

This ensures:

• More reliable report generation on large projects
• Cleaner, more accurate dependency graphs when optional platform packages are not installed

---

🧪 Tests

• Added coverage for npm optional dependency filtering behaviour

---

No changes to CLI usage or report structure were introduced in this release.

v0.5.0

v0.5.0 — Lockfile-first dependency analysis

v0.5.0 introduces a major improvement to how dependency-radar analyses projects:
dependency graphs are now derived from lockfiles first, with intelligent fallbacks where necessary.

This significantly improves accuracy, determinism, and workspace support across npm, pnpm, and Yarn projects.

---

🔐 Lockfile-first scanning

dependency-radar now builds dependency graphs directly from:

• package-lock.json (npm)
• pnpm-lock.yaml (pnpm)
• yarn.lock (Yarn)

Package-manager CLI inspection is used only as a fallback.

Benefits:

• More accurate dependency trees
• Deterministic results based on the lockfile
• Better support for workspaces and nested package boundaries
• Reduced reliance on external CLI behaviour

This is especially important for pnpm projects, where lockfile structure differs significantly from node_modules layout.

---

🧱 Improved CLI scan workflow

The scanning pipeline has been reworked:

• Per-package collectors with workspace-aware merging
• Cleaner aggregation logic
• Optional JSON and HTML output
• Automatic temporary directory cleanup
• Clear warnings when node_modules is missing

This makes scans more predictable and easier to reason about.

---

🧠 Enhanced aggregation logic

• Improved license aggregation and SPDX handling
• Better vulnerability advisory merging
• Refined origin and runtime heuristics
• More reliable local metadata collection

These changes improve the consistency and correctness of the final report.

---

🛡️ Safer HTML reports

• Inline CSS and JavaScript sanitisation
• Hardened report generation

The generated HTML remains fully self-contained while reducing potential injection risks.

---

📦 PNPM guidance and hardening

• Prefer lockfile-derived graphs over node_modules inspection
• Improved verification of installed artifacts
• Expanded documentation for pnpm workflows and edge cases

---

🧪 Expanded test coverage

• New lockfile-first parsing tests
• Coverage for npm, pnpm, Yarn
• Workspace and boundary case fixtures

---

📚 Documentation updates

• Updated README to reflect the lockfile-first workflow
• Clarified package manager behaviour
• Added PNPM hardening notes

---

This release does not introduce breaking CLI changes, but the internal scanning model has been substantially improved.
Report results may differ from previous versions due to more accurate dependency graph derivation.

Feedback and edge-case reports are welcome.

v0.4.0

v0.4.0 — PNPM-aware scanning, richer package insights & report upgrades

v0.4.0 focuses on improving accuracy in real-world monorepos, expanding package-level insight, and polishing the generated report experience.

This release strengthens dependency-radar’s reliability across package managers while adding deeper, more actionable metadata to each dependency.

---

📦 PNPM-aware scanning & improved workspace handling

• Reports now reflect only actually installed (on-disk) packages when using pnpm
• Improved workspace detection and resolution logic
• Local node_modules crawling to collect metadata and license artifacts
• More robust handling of pnpm store layouts
• Yarn PnP detection improvements
• Clearer behaviour when Yarn outdated data is unavailable

These changes significantly improve accuracy for pnpm-based monorepos and mixed package manager environments.

---

🔎 Richer package insights

Expanded dependency detail collection now includes:

• fileCount (number of files installed per package)
• hasBin detection
• Improved upgrade-blocker detection that now considers install scripts
• Enhanced metadata extraction via local node_modules inspection

This provides better visibility into package footprint, execution behaviour, and potential operational risk.

---

🎨 Report UI & linking improvements

• Added favicon and redesigned header logo
• Refreshed report layout and visual assets
• Improved dependency linking:
  • Name-based resolution
  • More reliable scroll-to and reveal behaviour

The report is now visually cleaner and more navigable, particularly in larger projects.

---

🧪 Testing & reliability upgrades

• Added extensive new test fixtures (usage, execution, license scenarios)
• Added fixture install/scan orchestration scripts
• Introduced Vitest-based test commands
• Improved internal resolution and crawling reliability

These changes improve long-term stability and confidence when evolving the analysis engine.

---

📚 Documentation updates

• Expanded README with:
  • Detailed scan workflow
  • Usage heuristics explanation
  • Package manager behaviour notes
  • PNPM-specific guidance
  • node_modules crawling details
  • Workspace hardening notes
  • Updated examples and output sequencing

---

This release does not introduce breaking CLI changes but significantly improves analysis accuracy and report quality across workspace and pnpm-heavy projects.

Feedback and edge-case reports are very welcome.

v0.3.1

v0.3.1 — Documentation polish & reliability fixes

v0.3.1 is a small patch release focused on improving first-time usability and hardening edge cases, particularly around workspace and pnpm scanning.

---

🐛 Bug fixes & reliability improvements

• Enhanced pnpm support with additional fallback mechanisms for more reliable analysis
• Improved error handling when scanning projects with no dependencies

---

📚 Documentation improvements

• Added a Getting Started section with quick setup instructions
• Clarified how dependency-radar analyses projects using npm, pnpm, or yarn
• Expanded script examples and usage documentation
• Added information about premium and team offerings

These updates are aimed at making the tool easier to understand and adopt, especially for new users.

---

This release does not change the report format or schema and is fully compatible with v0.3.0 outputs.

Feedback is always welcome.

v0.3.0

v0.3.0 — Workspace-aware analysis & major data model overhaul

v0.3.0 is a substantial functional release focused on scaling dependency-radar to real-world projects: workspaces, large dependency graphs, multiple package managers, and richer, more reliable analysis.

This release also introduces a major reduction and reorganisation of collected data, making reports faster, smaller, and more useful.

---

🧱 Workspace support (pnpm, npm, yarn)

dependency-radar now understands workspace-based projects.

• Added support for pnpm workspaces (with broader workspace groundwork for other managers)
• Correct resolution of dependencies across workspace package boundaries
• Improved handling of per-package paths, lockfiles, and audits
• Accurate dependency classification in multi-package repositories

This enables dependency-radar to analyse modern monorepos correctly for the first time.

---

📉 Massive reduction in JSON payload size

The collected analysis data has been dramatically reduced and cleaned up.

• JSON output shrank from ~315 MB to ~2 MB on large projects
• Removed redundant, low-value, and debugging-only data
• Reorganised the JSON structure for clarity and long-term stability
• Schema bumped incrementally (now v1.2)

This makes:

• HTML reports faster to load
• JSON output practical for CI and backend ingestion
• future SaaS analysis feasible

---

📦 Improved dependency data & usage signals

• Added dependency descriptions from package.json for better context
• Added npm / pnpm / yarn outdated data
• Reintroduced vulnerability advisories with cleaner structure
• Improved detection and normalisation of sub-dependencies
• Fixed multiple edge cases in dependency resolution and installation status

Usage, runtime classification, and parent/child relationships are now more accurate and consistent across large graphs.

---

🛡️ Major upgrade to license detection

License analysis has been significantly expanded and hardened.

• Full SPDX-based license scanning and validation
• License inference, confidence scoring, mismatch detection, and exception handling
• Improved license file discovery across:
  • workspaces
  • pnpm store layouts
  • per-version package installs
• Structured license model with explicit license risk classification
• Richer license details and filtering in the report UI

This makes license risk assessment both more accurate and more explainable.

---

🔍 Multi-package-manager audit support

dependency-radar now supports audits and outdated checks across:

• npm
• pnpm
• yarn

Additional environment metadata is now captured, including:

• package manager and version
• workspace type
• tool versions
• platform, architecture, and CI detection

This improves reproducibility and cross-environment comparisons.

---

🎨 Report UI & UX improvements

The HTML report has seen significant usability and accessibility improvements:

• Root packages now display explicit name+version entries with links into dependency cards
• Lazy-loaded dependency details with animated loading placeholders
• Improved expanded dependency sections and layout consistency
• Copy-to-clipboard support for raw JSON with visual feedback
• Scrollable raw-data pane with sticky controls
• Improved keyboard navigation and screen-reader feedback
• Updated logo and visual polish throughout

The report UI is now easier to scan, faster to interact with, and more robust for large projects.

---

📚 Documentation & CLI improvements

• Updated README and CLI help output
• Documented JSON output and schema changes
• Improved offline scanning behaviour and documentation
• Added new CLI flags:
  • --open
  • improved --offline behaviour
• Removed large generated artifacts from the repo
• Added test fixtures for npm, pnpm, and yarn workspace scenarios

---

⚠️ Notes

This release includes significant internal and data-model changes.
Report contents may differ from earlier versions due to improved accuracy, workspace support, and removal of redundant data.

Feedback is very welcome.

---

v0.2.0

v0.2.0 — Zero-runtime-dependency release

v0.2.0 is a significant internal and architectural update focused on correctness, security, and maintainability.

The headline change is that dependency-radar now installs with zero runtime dependencies when run via npx.

---

🚫 Zero runtime dependencies

dependency-radar no longer depends on any third-party runtime packages.

• All previous analysis dependencies have been removed
• Running npx dependency-radar installs no additional runtime packages
• Only Node.js built-ins are used at execution time
• Development dependencies remain for local development only

This reduces:

• supply-chain attack surface
• transitive vulnerability noise
• installation time and complexity

It also ensures that the report only reflects your project’s dependencies, not the tool’s own implementation details.

---

🧠 Usage analysis now derived from static import graph

Dependency usage signals are now derived entirely from the project’s static import graph.

• Removes reliance on external heuristics
• Improves explainability and consistency
• Makes limitations explicit and predictable
• Prevents tool-internal dependencies appearing in reports

Usage states are now intentionally conservative and observational.

---

🧱 Correct runtime classification for dev dependencies

Fixed an issue where transitive dependencies of devDependencies were incorrectly marked as runtime.

• Runtime classification now propagates correctly through the dependency graph
• Dev-only tooling and its sub-dependencies no longer inflate runtime surface area
• Results better reflect actual production risk

---

🧾 Node.js environment information added to report

Reports now include Node.js environment context:

• Node version used to run dependency-radar
• Strictest declared engines.node requirement found in dependencies

This helps explain environment-related differences and improves report reproducibility.

---

🎨 Report UI improvements + Vite-based workflow

The HTML report UI has been reworked and is now built using a Vite-based development setup.

• Faster iteration on report design
• Cleaner structure for future enhancements
• Improved visual clarity and scan-ability

This change affects development workflow only; the generated report remains a single self-contained HTML file.

---

📤 JSON output support

dependency-radar can now output analysis data as JSON.

• Enables CI, scripting, and external tooling
• Documented in the README
• Designed to be stable and machine-consumable

---

📚 Documentation updates

• Updated CLI help output
• Expanded README
• Added documentation for JSON output

---

⚠️ Notes

This release includes substantial internal changes. While the external CLI usage remains the same, report content may differ from v0.1.x due to improved classification and removal of tool-internal noise.

Feedback is very welcome.

---

v0.1.1

v0.1.1 — First public release

This is the first public release of dependency-radar, an early-stage CLI tool for analysing project dependencies and generating a single, local-first HTML report.

✨ What it does

• Scans a Node.js project’s dependencies
• Analyses structure, size, usage, and licensing
• Produces a single self-contained HTML report
• Designed to be run anywhere via npx, with no setup or accounts required

npx dependency-radar scan

🎯 Goals of this release

• Establish the core CLI workflow
• Validate the npx experience
• Provide a foundation for richer analysis and visualisation in future releases

⚠️ Status

This is an early proof-of-concept release:

• APIs and output format may change
• Expect rough edges and incomplete analysis
• Feedback, issues, and ideas are very welcome

🛣️ What’s next

Planned improvements include:

• Expanded dependency risk signals
• Clearer usage and ownership detection
• Report UX and visual improvements
• Additional output formats and CLI options