A dependency health scanner that finds dead, deprecated, and abandoned packages in your project — and tells you what to migrate to.
📦 stack-rot v0.1 — scanning ./package.json
🪦 ABANDONED (1 package):
❌ moment 2.24.0
→ In maintenance mode since 2020. Maintainers officially recommend alternatives.
→ Migrate to: dayjs, date-fns, luxon
→ Evidence: https://momentjs.com/docs/#/-project-status/
⚠️ DEPRECATED (2 packages):
❌ brute-knex 4.0.1
→ Package no longer supported.
❌ path-match 1.2.4
→ Archived and no longer maintained.
✅ HEALTHY (207 packages)
────────────────────────────────────────
📊 Project health: 9.9/10
207/210 dependencies are healthy (2 unknown packages excluded).
The example above is a real scan of TryGhost/Ghost.
stack-rot reads your package.json and reports which dependencies are:
- Abandoned — community has moved away, even if the registry doesn't say so (e.g. moment)
- Deprecated — officially marked deprecated on npm or by maintainers (e.g. request, node-sass)
- Healthy — actively maintained
For each problematic dependency, it tells you:
- Why it's flagged
- A link to public evidence (maintainer announcement, deprecation notice, archived repo)
- Recommended alternatives
Existing tools handle adjacent problems:
| Tool | Primary focus |
|---|---|
npm outdated |
Newer versions available |
npm audit |
Security vulnerabilities |
| Dependabot | Automated version bumps |
| Snyk | Security vulnerabilities + license issues |
| Socket.dev | Supply-chain risk |
stack-rot |
Community migration intelligence (open-source, free, CLI) |
None of those answer the question developers actually ask when they inherit an old codebase: which of these packages should I stop using?
stack-rot answers that. It combines a hand-curated database of known-abandoned packages with the npm registry's deprecation flag to surface problems no other tool catches.
pip install stack-rot
Requires Python 3.10 or newer.
Scan the package.json in the current directory:
stack-rot
Scan a specific file:
stack-rot path/to/package.json
Scan without hitting the npm registry (uses only the curated database):
stack-rot --no-network
Exit codes:
0— no abandoned or deprecated dependencies found1— problems found (useful for CI)2— error reading the manifest
- JavaScript / npm support (reads
package.json, querieshttps://registry.npmjs.org) - 8 hand-verified entries in the curated database, each with an evidence URL
- Live npm deprecation detection for every other package on the registry
- v0.2 — Python (
requirements.txt,pyproject.toml) - v0.3 — Automated abandonment signals (last-publish dates, repo activity)
- v0.4 — Go (
go.mod) - v0.5 — Rust (
Cargo.toml) - v0.6 — Community sentiment data from public sources
- v0.7 — JSON/HTML reports, CI mode, GitHub Action
- v0.8 — Safe codemods for trivial migrations
- v0.9 — Web dashboard and README badges
- v1.0 — Stability and sustainability
The curated database (src/stack_rot/rot-db.json) grows by community contribution. Every new entry requires:
- A
statusofdead,deprecated, orstale - A
reasonexplaining the verdict - A list of at least one
alternativepackage - A public
evidenceURL (maintainer announcement, deprecation notice, archived repo, or registry flag) verified_byandverified_datefields
PRs missing any of these will be rejected automatically. See CONTRIBUTING.md for full rules.
MIT. See LICENSE.