We’re excited to introduce a major improvement in Depmender — the brand-new config folder system.
With this update, Depmender becomes more powerful, flexible, and team-friendly than ever before.
When you run:depmender init
Depmender now automatically creates a dedicated configuration folder containing: depmender.config.js
This file gives you full control over how Depmender scans, fixes, reports, and integrates with your workflow.
📁 What’s Inside depmender.config.js?
The config file is divided into 3 powerful sections:
rules – Scanning Rules
autoFix – Auto-Fix Settings
output – Output Customization
Each section allows you to tailor Depmender according to your project’s needs.
1️⃣ Scanning Rules (rules)
Control how strict Depmender should be while scanning dependencies.
✅ maxOutdatedDays – Control outdated packages
maxOutdatedDays: 90 // Default – packages older than 90 days flagged
maxOutdatedDays: 30 // Strict mode
maxOutdatedDays: 180 // Relaxed mode
You decide how old is “too old”.
✅ allowedVulnerabilities – Ignore specific severity levels
allowedVulnerabilities: []
allowedVulnerabilities: ['low']
allowedVulnerabilities: ['low', 'moderate']
Perfect for teams that don’t want low-severity noise in reports.
✅ excludePackages – Skip specific packages (with wildcard support)
excludePackages: [
'@types/*',
'eslint-*',
'react',
'lodash',
'webpack-*'
]
You can:
Skip internal tools
Ignore specific libraries
Use wildcard patterns
✅ includeDev – Scan devDependencies or not
includeDev: true // Default
includeDev: false // Production-only scan
Useful for production-critical systems.
2️⃣ Auto-Fix Settings (autoFix)
Control how Depmender applies fixes.
✅ enabled – Turn automatic fixes on/off
enabled: false // Safe (default)
enabled: true // Fully automatic
✅ confirmBeforeFix – Ask before applying fixes
confirmBeforeFix: true
confirmBeforeFix: false
Great balance between safety and speed.
✅ backupBeforeFix – Create a backup before changes
backupBeforeFix: true // Recommended
backupBeforeFix: false
Prevents accidental breakage.
✅ maxRiskLevel – Control risk tolerance
maxRiskLevel: 'low'
maxRiskLevel: 'medium' // Default
maxRiskLevel: 'high'
maxRiskLevel: 'critical'
You choose how aggressive Depmender should be.
3️⃣ Output Customization (output)
Customize how Depmender reports results.
✅ format – Choose output style
format: 'minimal'
format: 'detailed' // Default
format: 'json' // Ideal for CI/CD
✅ showSuccessMessages
showSuccessMessages: true
showSuccessMessages: false
Reduce noise if needed.
✅ colors – Enable or disable colored output
colors: true // Default
colors: false // Better for CI pipelines
🎯 Why This Update Matters
With this new config system, you can:
✅ Define project-specific rules
✅ Control auto-fix behavior
✅ Customize output format
✅ Exclude specific packages
✅ Set vulnerability tolerance levels
✅ Separate production and development scanning
✅ Match your team’s workflow perfectly
Depmender is no longer just a scanning tool — it’s now a fully customizable dependency management system.
💡 Final Thoughts
Every project is different.
Some teams prefer strict dependency policies.
Some prefer flexibility.
Some need CI/CD automation.
With the new depmender.config.js, you’re in full control.
This update makes Depmender:
✔ More scalable
✔ More team-friendly
✔ More automation-ready
✔ Production-aware
✔ Enterprise-capable
Github Repo:- https://github.com/r2708/depmender
Top comments (0)