v1.4.0 — Fix Command, Compare CLI, 30+ Migration Mappings

What's New

dep-oracle fix — Auto-Fix Risky Dependencies

No more just reporting problems. Now dep-oracle can fix them.

dep-oracle fix                    # See what can be improved
dep-oracle fix --apply --yes      # Auto-replace risky packages

Scans your project, identifies packages with low trust scores or zombie status, and suggests (or installs) safer alternatives. Only "easy" drop-in replacements are auto-applied.

dep-oracle compare — Side-by-Side Comparison

dep-oracle compare express fastify
dep-oracle compare moment dayjs

Compare any two packages with full trust score breakdown, metrics, zombie status, and trend direction. Winner announced.

30+ New Migration Mappings

Migration advisor now covers 161 packages with 220+ alternatives (was 131/192):

• express → hono, fastify, elysia
• jest → vitest
• create-react-app → vite, next
• redux → zustand, jotai
• joi / yup → zod, valibot
• styled-components → tailwindcss, vanilla-extract
• eslint / prettier → biome, oxlint
• lerna → turborepo, nx
• cross-env → native node --env-file
• fs-extra → native node:fs/promises

Install / Update

npm install -g dep-oracle@1.4.0
# or
npx dep-oracle@1.4.0 scan

Full Changelog: v1.3.0...v1.4.0

v1.3.0 — Honesty Audit + Python Ecosystem + Score Accuracy

What's Changed

Honesty & Documentation

• Comparison table corrected: Socket.dev typosquat=Yes, Snyk predictive=Partial, Dependabot blast radius=Partial
• Added disclaimer: dep-oracle complements, not replaces, enterprise tools like Snyk/Socket.dev
• Statistics sourced: Replaced unsourced "62% of breaches" with cited Sonatype 2024 Report (742% increase)
• GitHub Action fixed: Uses npx dep-oracle scan instead of nonexistent action repo
• Blast radius methodology documented with current limitations (JS/TS only)
• Weight rationale explained with configurability note

Python Ecosystem (Real Support)

• PyPI registry collector: Fetches metadata from pypi.org + download stats from pypistats.org
• OSV ecosystem fix: Security queries now use correct ecosystem (PyPI instead of hardcoded npm)
• Ecosystem routing: Orchestrator routes to correct collector per package manager
• ~90 popular PyPI packages added to typosquat detection (requests, django, numpy, etc.)
• --ecosystem CLI flag on check command

Rate Limiting

• All collectors now rate-limited: githubRateLimiter on 5 GitHub API methods, npmRateLimiter on registry/popularity/license/funding
• Prevents 403 burst errors on large dependency trees

Score Accuracy

• Missing-data penalty: Score pulled toward midpoint (50) proportionally to missing weight fraction
• insufficientData threshold: Lowered from 3 to 2 missing metrics
• Example: Score 80 with 35% missing data → 69.5 (was 80)

New Features

• dep-oracle badge CLI command — generates SVG trust score badges
• Supports single package (-p express) and whole project modes

Stats

• 23 files changed, 568 insertions, 53 deletions
• 10 test files, 144 tests passing
• 3 build bundles: CLI, Lib+MCP, Action

Full changelog: v1.2.1...v1.3.0

v1.2.1

Fixed

• CLI mcp subcommand missing — npx dep-oracle mcp now correctly starts the MCP stdio server. Previously the mcp command was not registered in Commander.js, causing MCP clients to fail.

Full changelog: v1.2.0...v1.2.1

v1.2.0 — Security Hardening & Programmatic API

Security

• Path traversal protection in MCP tools — dir and output arguments are validated
• Package name validation — npm naming rules enforced (regex + 214-char limit)
• HTML reporter XSS — metric values escaped with escapeHtml() (defense-in-depth)
• GitHub URL validation — owner/repo format checked before API calls
• Funding collector — GitHub Sponsors username validated before URL construction

New Features

• Programmatic API — import { scan, checkPackage } from 'dep-oracle' now works as documented
• 3 new MCP tools — dep_oracle_typosquat_check, dep_oracle_compare, dep_oracle_report (8 tools total)
• GitHub Action — now builds correctly as a self-contained bundle via tsup
• server.json — included in npm package for MCP registry compatibility

Fixes

• Collector timeout (30s) prevents indefinite hang on slow/unresponsive APIs
• Trust score weight validation — custom weights must sum to 1.0
• Patch bonus logic — only applies when vulnerabilities exist and patches are within 30 days
• Python parser — #egg= fragments in git URLs no longer stripped by comment removal
• Typosquat detection — homoglyph analysis expanded to catch 2-character substitutions
• Cache error handling — distinguishes JSON corruption from unexpected I/O errors

Status

Platform	Version	Status
npm	1.1.4 (1.2.0 ready to publish)	npmjs.com/package/dep-oracle
GitHub	1.2.0	This release
MCP Registry	Active	modelcontextprotocol.io/registry

Install

npx dep-oracle
# or
npm install -g dep-oracle

Programmatic API

import { scan, checkPackage } from 'dep-oracle';

const report = await scan({ dir: './my-project' });
console.log(report.overallScore);

const result = await checkPackage('express');
console.log(result.trustScore);

Claude Code Integration

{
  "mcpServers": {
    "dep-oracle": {
      "command": "npx",
      "args": ["dep-oracle", "mcp"]
    }
  }
}

Full Changelog: v1.1.4...v1.2.0

v1.1.4 — Package.json Fix

Fixed

• Removed invalid readme field from package.json that caused npm to display literal string instead of README content
• All version references synced to 1.1.4 across package.json, server.json, README output examples, and changelogs

Status

Platform	Status	Link
npm	Published	npmjs.com/package/dep-oracle
GitHub	This release	github.com/ertugrulakben/dep-oracle
MCP Registry	Active	modelcontextprotocol.io/registry

Install

npx dep-oracle
# or
npm install -g dep-oracle@1.1.4

Claude Code Integration

{
  "mcpServers": {
    "dep-oracle": {
      "command": "npx",
      "args": ["dep-oracle", "mcp"]
    }
  }
}

Full Changelog: v1.1.3...v1.1.4

v1.1.3 — English README on npm

Fixed

• npm README: English README now correctly shown on npmjs.com
• Turkish README excluded from npm package via prepack/postpack lifecycle scripts

Install

npx dep-oracle
# or
npm install -g dep-oracle@1.1.3

Full Changelog: v1.1.2...v1.1.3

v1.1.2 — npm README Fix

What's Changed

Fixed

• npm README: npmjs.com now correctly shows the English README with cover image, MCP Registry badge, and complete changelog (previously showed Turkish README due to a file corruption during v1.1.1 publish)
• MCP Registry Links: Updated all MCP Registry links to use the official documentation URL

Full Changelog: v1.1.1...v1.1.2

v1.1.1 — MCP Registry Support

What's New

MCP Registry

• dep-oracle is now listed on the official MCP Registry as io.github.ertugrulakben/dep-oracle
• Added server.json manifest and mcpName field in package.json

Dynamic Versioning

• MCP server and SARIF reporter now read version dynamically from package.json (no more hardcoded version strings)

Documentation

• Cover image added to both README.md and README.tr.md
• Complete changelog with all versions (v1.0.0, v1.1.0, v1.1.1)
• MCP Registry badge and link in README headers

---

Install: npm install -g dep-oracle or npx dep-oracle

Full Changelog: v1.1.0...v1.1.1