This is a submission for the GitHub Copilot CLI Challenge
The "Dependency Hell" Nightmare 😱
It's 4:55 PM on a Friday. You're about to deploy.
$ npm audit
found 12 vulnerabilities (2 critical, 5 high)
Panic sets in.
You check the report. The critical vulnerability isn't even in your code. It's in left-pad-v2, which is a dependency of react-awesome-button, which is a dependency of your UI library...
You are now in Dependency Hell. 🔥
- ❌ You can't just
npm update(it breaks the UI). - ❌ You can't remove the package (you need the button).
- ❌ You spend hours reading GitHub issues from 2019.
- ❌ You try
npm dedupe,npm audit fix --force... and now your app won't build.
Sound familiar?
The "Aha!" Moment
What if AI could explain vulnerabilities in plain English?
What if it could tell me the business impact ($$$)?
What if it could auto-fix everything in 30 seconds?
Enter DepDoctor 🩺
🩺 What is DepDoctor?
DepDoctor is an AI-powered CLI tool that doesn't just find problems—it fixes them.
It combines GitHub Copilot's reasoning engine with a smart Tree Repair System to surgically remove vulnerabilities from your node_modules without breaking your app.
The "Killer Feature": Smart Tree Repair 🌳
Most tools stop at "You have a problem." DepDoctor says, "I fixed it."
The Smart Tree Repair uses a multi-stage process to resolve "Dependency Hell":
- Deep Scan: Finds vulnerabilities nested 10 layers deep.
- Safe Version Resolution: Finds the exact version of the sub-dependency that fixes the CVE.
- Surgical Override: Automatically modifies your
package.jsonwith anoverrides(orresolutions) field to force only the vulnerable package to update, keeping the rest of the chain intact. - Auto-Dedupe: Flattens your tree to remove duplicate vulnerable copies.
The Result?
You type depdoctor --fix-all, and that unfixable nested vulnerability vanishes. ✨
🤖 Copilot: Your Security Analyst
DepDoctor uses GitHub Copilot CLI to translate "Security Speak" into "Business Speak".
Instead of:
CVE-2024-1234: Prototype pollution in object serialization...
DepDoctor shows:
🤖 Copilot Analysis:
"Attackers can crash your server by sending malformed JSON.
Business Impact: High risk of DoS attack during peak traffic (est. loss $10k/hour)."
It prioritizes fixes based on actual risk, not just scary red text.
The Demo That Made My Team Go "😮"
$ depdoctor
🩺 DepDoctor - Analyzing dependencies...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 DEPENDENCY HEALTH REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Overall Score: 68/100 🟡 (Needs Attention)
🔴 CRITICAL (2 vulnerabilities)
┌─────────────────────────────────────────┐
│ lodash@4.17.21 │
│ CVE-2021-23337 - Prototype Pollution │
│ │
│ 🤖 Copilot Explains: │
│ "Attacker can modify object properties, │
│ leading to Remote Code Execution" │
│ │
│ 💰 Business Impact: $50,000+ breach │
│ │
│ ✅ Fix: npm install lodash@latest │
└─────────────────────────────────────────┘
Apply fixes? [y/N]: y
✅ Fixed 2 critical vulnerabilities in 30 seconds!
New Score: 92/100 🟢
No more Googling CVE numbers at midnight!
🚀 See It In Action
1. The Audit
$ depdoctor
🩺 DepDoctor - Analyzing dependencies...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 DEPENDENCY HEALTH REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔴 CRITICAL: deep-merge-util
In: ui-lib > button > utils > deep-merge-util
🤖 Copilot says: "Allows Remote Code Execution (RCE)."
💰 Risk: Critical Data Breach
Dependencies stuck in Hell? 2
2. The Cure
$ depdoctor --fix-all
🌳 Activating Smart Tree Repair...
• Running npm dedupe... Done.
• Isolating nested vulnerability: deep-merge-util
• Calculating safe override version... found v2.1.0
• Applying surgical override to package.json...
• Re-installing dependencies...
✅ DEPENDENCY HELL RESOLVED.
2 Nested Vulnerabilities Fixed.
0 Breaking Changes Detected.
Get back to your weekend! 🍻
Why This Exists
The Problem
Developers waste 15-20 hours/week on dependency hell:
- ❌ npm audit shows 47 vulnerabilities... which ones matter?
- ❌ Outdated packages... which will break my app?
- ❌ Unused deps... how much am I wasting?
- ❌ Hours spent Googling CVEs and reading changelogs
🛠️ How It Works (Under the Hood)
┌─────────────┐
│ Your Project│
└──────┬──────┘
│
▼
┌─────────────────┐
│ npm audit │ ← Scan vulnerabilities
│ npm outdated │ ← Find outdated packages
│ Code Scanner │ ← Detect unused deps
└──────┬──────────┘
│
▼
┌─────────────────────────┐
│ GitHub Copilot CLI │
│ • Explain vulnerabilities│ ← AI magic here! 🤖
│ • Assess business impact │
│ • Generate fixes │
│ • Create migration guides│
└──────┬──────────────────┘
│
▼
┌─────────────────┐
│ Beautiful Report│ ← You see this! 🎨
│ + Auto-fix │
└─────────────────┘
For the nerds like me, here's how the Tree Fixer works (src/fixers/tree-fixer.ts):
// 1. Identify nested vulnerabilities
const nestedVulns = analysis.vulnerabilities.filter(v => !v.isDirect);
// 2. Copilot determines the safe patch version
const overrides = {};
for (const vuln of nestedVulns) {
const safeVer = await copilot.findSafeVersion(vuln);
overrides[vuln.name] = safeVer;
}
// 3. Apply 'overrides' to package.json (works for npm 8+)
packageJson.overrides = { ...packageJson.overrides, ...overrides };
await fs.writeFile('package.json', JSON.stringify(packageJson));
It leverages the native overrides feature of npm (and resolutions for yarn) but automates the tedious, error-prone part: figuring out what to override and to what version to avoid breaking changes.
Real Impact: Before vs After
Before DepDoctor:
Friday 11 PM: npm audit shows 12 vulnerabilities
Friday 11:05 PM: Google "CVE-2021-23337"
Friday 11:30 PM: Still reading security advisories
Saturday 2 AM: Finally fix 2 critical issues
Monday: Boss asks "why was the site down?"
After DepDoctor:
Friday 11 PM: depdoctor
Friday 11:01 PM: See AI explanations
Friday 11:01 PM: Press 'y' to auto-fix
Friday 11:02 PM: Done. Score: 92/100 🟢
Friday 11:03 PM: Sleep like a baby 😴
Time saved: 3 hours → 2 minutes ⏰
Screenshots
Try It Yourself
From source:
git clone https://github.com/Aryakoste/depDoctor
cd depDoctor
npm install && npm run build
npm link
depdoctor
Cool Features You Might Miss
1. Health History Tracking
$ depdoctor history
┌─────────────────────┬─────────┬──────────┬──────┐
│ Date │ Score │ Critical │ High │
├─────────────────────┼─────────┼──────────┼──────┤
│ 2/15/2026, 1:00 PM │ 92/100🟢│ 0 │ 1 │
│ 2/14/2026, 11:00 PM │ 68/100🟡│ 2 │ 5 │
└─────────────────────┴─────────┴──────────┴──────┘
📈 Score improved by 24 points!
2. CI/CD Integration
# .github/workflows/security.yml
- name: Check Dependencies
run: |
npm install -g depdoctor
depdoctor --ci --threshold critical
# Fails build if critical vulns found
3. Migration Guides for Updates
🟡 react: 17.0.2 → 18.3.1
🤖 Copilot Migration:
1. Update package.json
2. Replace ReactDOM.render() → createRoot()
3. Remove deprecated lifecycle methods
⏰ Est. time: 2 hours
What dependency horror stories do you have? Share in the comments! 💬
Made with ❤️ and GitHub Copilot CLI
Top comments (0)