Cross-ecosystem dependency health for fledge — outdated, audit, licenses against Rust, Node (npm/pnpm/yarn/bun), and Python (poetry/uv) projects.
Lived in fledge core through v0.14. Moved to this plugin as part of the v0.15 tight-core refactor — every additional ecosystem is one more lockfile parser core didn't need.
fledge plugins install CorvidLabs/fledge-plugin-depsAuto-detects the project ecosystem from lockfiles in the current directory, then shells out to the canonical tool:
| Lockfile | Ecosystem | Backing tool |
|---|---|---|
Cargo.lock |
Rust | cargo outdated / cargo audit |
bun.lockb |
Node (Bun) | bun outdated / bun audit |
pnpm-lock.yaml |
Node (pnpm) | pnpm outdated / pnpm audit |
package-lock.json |
Node (npm) | npm outdated / npm audit |
yarn.lock |
Node (Yarn) | yarn outdated / yarn npm audit |
poetry.lock |
Python (Poetry) | poetry show --outdated / pip-audit |
uv.lock |
Python (uv) | uv pip list --outdated / pip-audit |
fledge deps --outdated
fledge deps --audit
fledge deps --outdated --jsonDefault action when no flag is set is --outdated.
Pass --json to wrap the output in a JSON envelope (useful for piping into other tools or CI scripts).
Note:
--licensesis planned but not yet implemented.
The plugin auto-detects the ecosystem from lockfiles and shells out to the corresponding tool. You need the backing tools installed for your ecosystem:
- Rust:
cargo-outdatedand/orcargo-audit(cargo install cargo-outdated cargo-audit) - Node:
npm,pnpm,yarn, orbun(whichever matches your lockfile) - Python:
poetryoruv, pluspip-auditfor security audits (pipx install pip-audit)
Every ecosystem has its own lockfile parser, registry API, and audit tooling. Adding Dart? Another parser. Adding Elixir? Another parser. As a plugin, this can grow ecosystem support independently — and a Rust-only shop never carries the npm/pip/swift code in their fledge binary.
MIT