Arya Koste

Posted on Feb 15

DepDoctor: Stop Getting Hacked by Outdated Dependencies (Dependency Hell)

#devchallenge #githubchallenge #cli #githubcopilot

GitHub Copilot CLI Challenge Submission

This is a submission for the GitHub Copilot CLI Challenge

The "Dependency Hell" Nightmare 😱

It's 4:55 PM on a Friday. You're about to deploy.

$ npm audit
found 12 vulnerabilities (2 critical, 5 high)

Panic sets in.

You check the report. The critical vulnerability isn't even in your code. It's in left-pad-v2, which is a dependency of react-awesome-button, which is a dependency of your UI library...

You are now in Dependency Hell. 🔥

❌ You can't just npm update (it breaks the UI).
❌ You can't remove the package (you need the button).
❌ You spend hours reading GitHub issues from 2019.
❌ You try npm dedupe, npm audit fix --force... and now your app won't build.

Sound familiar?

The "Aha!" Moment

What if AI could explain vulnerabilities in plain English?

What if it could tell me the business impact ($$$)?

What if it could auto-fix everything in 30 seconds?

Enter DepDoctor 🩺

🩺 What is DepDoctor?

DepDoctor is an AI-powered CLI tool that doesn't just find problems—it fixes them.

It combines GitHub Copilot's reasoning engine with a smart Tree Repair System to surgically remove vulnerabilities from your node_modules without breaking your app.

The "Killer Feature": Smart Tree Repair 🌳

Most tools stop at "You have a problem." DepDoctor says, "I fixed it."

The Smart Tree Repair uses a multi-stage process to resolve "Dependency Hell":

Deep Scan: Finds vulnerabilities nested 10 layers deep.
Safe Version Resolution: Finds the exact version of the sub-dependency that fixes the CVE.
Surgical Override: Automatically modifies your package.json with an overrides (or resolutions) field to force only the vulnerable package to update, keeping the rest of the chain intact.
Auto-Dedupe: Flattens your tree to remove duplicate vulnerable copies.

The Result?
You type depdoctor --fix-all, and that unfixable nested vulnerability vanishes. ✨

🤖 Copilot: Your Security Analyst

DepDoctor uses GitHub Copilot CLI to translate "Security Speak" into "Business Speak".

Instead of:

CVE-2024-1234: Prototype pollution in object serialization...

DepDoctor shows:

🤖 Copilot Analysis:
"Attackers can crash your server by sending malformed JSON.
Business Impact: High risk of DoS attack during peak traffic (est. loss $10k/hour)."

It prioritizes fixes based on actual risk, not just scary red text.

The Demo That Made My Team Go "😮"

$ depdoctor

🩺 DepDoctor - Analyzing dependencies...

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 DEPENDENCY HEALTH REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Overall Score: 68/100 🟡 (Needs Attention)

🔴 CRITICAL (2 vulnerabilities)
┌─────────────────────────────────────────┐
│ lodash@4.17.21                          │
│ CVE-2021-23337 - Prototype Pollution    │
│                                         │
│ 🤖 Copilot Explains:                   │
│ "Attacker can modify object properties, │
│  leading to Remote Code Execution"      │
│                                         │
│ 💰 Business Impact: $50,000+ breach    │
│                                         │
│ ✅ Fix: npm install lodash@latest      │
└─────────────────────────────────────────┘

Apply fixes? [y/N]: y

✅ Fixed 2 critical vulnerabilities in 30 seconds!
New Score: 92/100 🟢

No more Googling CVE numbers at midnight!

🚀 See It In Action

1. The Audit

$ depdoctor

🩺 DepDoctor - Analyzing dependencies...

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 DEPENDENCY HEALTH REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🔴 CRITICAL: deep-merge-util
   In: ui-lib > button > utils > deep-merge-util

   🤖 Copilot says: "Allows Remote Code Execution (RCE)."
   💰 Risk: Critical Data Breach

Dependencies stuck in Hell? 2

2. The Cure

$ depdoctor --fix-all

🌳 Activating Smart Tree Repair...
   • Running npm dedupe... Done.
   • Isolating nested vulnerability: deep-merge-util
   • Calculating safe override version... found v2.1.0
   • Applying surgical override to package.json...
   • Re-installing dependencies...

✅ DEPENDENCY HELL RESOLVED.
   2 Nested Vulnerabilities Fixed.
   0 Breaking Changes Detected.

Get back to your weekend! 🍻

Why This Exists

The Problem

Developers waste 15-20 hours/week on dependency hell:

❌ npm audit shows 47 vulnerabilities... which ones matter?
❌ Outdated packages... which will break my app?
❌ Unused deps... how much am I wasting?
❌ Hours spent Googling CVEs and reading changelogs

🛠️ How It Works (Under the Hood)

┌─────────────┐
│ Your Project│
└──────┬──────┘
       │
       ▼
┌─────────────────┐
│ npm audit       │  ← Scan vulnerabilities
│ npm outdated    │  ← Find outdated packages
│ Code Scanner    │  ← Detect unused deps
└──────┬──────────┘
       │
       ▼
┌─────────────────────────┐
│ GitHub Copilot CLI      │
│ • Explain vulnerabilities│  ← AI magic here! 🤖
│ • Assess business impact │
│ • Generate fixes         │
│ • Create migration guides│
└──────┬──────────────────┘
       │
       ▼
┌─────────────────┐
│ Beautiful Report│  ← You see this! 🎨
│ + Auto-fix      │
└─────────────────┘

For the nerds like me, here's how the Tree Fixer works (src/fixers/tree-fixer.ts):

// 1. Identify nested vulnerabilities
const nestedVulns = analysis.vulnerabilities.filter(v => !v.isDirect);

// 2. Copilot determines the safe patch version
const overrides = {};
for (const vuln of nestedVulns) {
  const safeVer = await copilot.findSafeVersion(vuln);
  overrides[vuln.name] = safeVer; 
}

// 3. Apply 'overrides' to package.json (works for npm 8+)
packageJson.overrides = { ...packageJson.overrides, ...overrides };
await fs.writeFile('package.json', JSON.stringify(packageJson));

It leverages the native overrides feature of npm (and resolutions for yarn) but automates the tedious, error-prone part: figuring out what to override and to what version to avoid breaking changes.

Real Impact: Before vs After

Before DepDoctor:

Friday 11 PM: npm audit shows 12 vulnerabilities
Friday 11:05 PM: Google "CVE-2021-23337"
Friday 11:30 PM: Still reading security advisories
Saturday 2 AM: Finally fix 2 critical issues
Monday: Boss asks "why was the site down?"

After DepDoctor:

Friday 11 PM: depdoctor
Friday 11:01 PM: See AI explanations
Friday 11:01 PM: Press 'y' to auto-fix
Friday 11:02 PM: Done. Score: 92/100 🟢
Friday 11:03 PM: Sleep like a baby 😴

Time saved: 3 hours → 2 minutes ⏰

Screenshots

Try It Yourself

From source:

git clone https://github.com/Aryakoste/depDoctor
cd depDoctor
npm install && npm run build
npm link
depdoctor

Cool Features You Might Miss

1. Health History Tracking

$ depdoctor history

┌─────────────────────┬─────────┬──────────┬──────┐
│ Date                │ Score   │ Critical │ High │
├─────────────────────┼─────────┼──────────┼──────┤
│ 2/15/2026, 1:00 PM  │ 92/100🟢│ 0        │ 1    │
│ 2/14/2026, 11:00 PM │ 68/100🟡│ 2        │ 5    │
└─────────────────────┴─────────┴──────────┴──────┘

📈 Score improved by 24 points!

2. CI/CD Integration

# .github/workflows/security.yml
- name: Check Dependencies
  run: |
    npm install -g depdoctor
    depdoctor --ci --threshold critical
  # Fails build if critical vulns found

3. Migration Guides for Updates

🟡 react: 17.0.2 → 18.3.1

🤖 Copilot Migration:
1. Update package.json
2. Replace ReactDOM.render() → createRoot()
3. Remove deprecated lifecycle methods

⏰ Est. time: 2 hours

What dependency horror stories do you have? Share in the comments! 💬

Made with ❤️ and GitHub Copilot CLI

⭐ Star on GitHub

DEV Community