0.2.0

Added

• update subcommand for updating outdated dependencies
  • Maven: format-preserving POM updates for both managed properties (<properties>) and inline versions (<version>x.y.z</version>) — preserves comments, whitespace, and indentation
  • npm: delegates to native package manager update commands (npm update, pnpm update, yarn upgrade, bun update)
  • --dry-run flag to preview updates without making changes (JSON status: would_update)
  • Structured JSON output with ecosystem, kind, managed, artifact, source, old_version, new_version fields
  • Summary line, elapsed time, progress bar, and exit code 1 on errors (mirrors check output)
• --include/--exclude glob filters for check, update, and audit (e.g., --include 'org.junit:*', --exclude '*:guava', --include 'react*')
• audit subcommand for checking dependencies against known vulnerabilities via OSV.dev
  • Queries both Maven and npm ecosystems using the OSV batch API
  • Fetches full vulnerability details including CVE aliases, severity (CVSS-based), summaries, and advisory URLs
  • --severity filter to show only vulnerabilities at or above a threshold (critical, high, medium, low)
  • Supports all check filters: --maven/--npm, --dependencies/--plugins/--dev-deps, --managed/--unmanaged, --include/--exclude
  • Structured JSON output with vulnerability details
  • Grouped table output with severity-colored labels, summary line, and timing
  • Exit code 1 when vulnerabilities are found
  • Tool versions (Node.js, package managers) are skipped

Changed

• Rename crate to depup-cli for crates.io publishing (cargo install depup-cli installs the depup binary)
• Audit --severity filter now drops dependencies whose vulnerabilities were all below the threshold instead of showing them as clean