Monitor your .NET project's NuGet dependencies for staleness, abandonment, and vulnerabilities.
dotnet tool install -g depwatch-dotnet# Scan current directory (auto-detects .csproj or .sln)
depwatch
# Scan a specific project
depwatch ./src/MyApp/MyApp.csproj
# Scan a solution
depwatch ./MyApp.sln
# Output as JSON
depwatch --format json
# CI mode (no color, exits with code 1 on critical findings)
depwatch --ci┌─────────────────────────┬─────────┬─────────┬──────────────┬──────────┬────────────────────────────────┐
│ Package │ Version │ Latest │ Published │ Status │ Issues │
├─────────────────────────┼─────────┼─────────┼──────────────┼──────────┼────────────────────────────────┤
│ Newtonsoft.Json │ 13.0.1 │ 13.0.3 │ 2023-03-08 │ Healthy │ - │
│ Serilog │ 2.12.0 │ 3.1.1 │ 2023-11-15 │ Healthy │ - │
│ System.Data.SqlClient │ 4.8.5 │ 4.8.6 │ 2023-09-12 │ AtRisk │ Package is deprecated │
│ log4net │ 2.0.8 │ 2.0.15 │ 2022-01-10 │ Stale │ Latest release was 800 days ago│
└─────────────────────────┴─────────┴─────────┴──────────────┴──────────┴────────────────────────────────┘
Summary: 2 Healthy, 1 Stale, 1 AtRisk, 0 Critical
Each dependency is assigned a health status based on the following rules:
| Status | Condition |
|---|---|
| Healthy | No issues detected |
| Stale | Latest release is older than the staleness threshold (default: 365 days) |
| At Risk | Package is deprecated, or has low/moderate severity vulnerabilities |
| Critical | Package has high or critical severity vulnerabilities |
The most severe applicable status wins. A package that is both stale and has critical vulnerabilities will be marked Critical.
depwatch [OPTIONS] [PATH]
Arguments:
PATH .csproj, .sln, or directory (default: current dir)
Options:
--format <FORMAT> Output format: table (default), json, csv
--threshold <DAYS> Staleness threshold in days (default: 365)
--severity <LEVEL> Minimum severity to display: all (default), stale, at-risk, critical
--no-cache Bypass the local file cache
--ci CI mode: no color, exit code 1 on critical findings
--version Show version
--help Show help
Use the --ci flag in your CI/CD pipeline to fail builds when critical vulnerabilities are detected:
# GitHub Actions example
- name: Check dependencies
run: depwatch --ciExit codes:
0— No critical findings1— Critical findings detected
depwatch caches NuGet API responses locally to avoid redundant network calls:
- macOS/Linux:
~/.cache/depwatch/ - Windows:
%LOCALAPPDATA%\depwatch\cache\
Cache entries expire after 4 hours. Use --no-cache to bypass.