Configuration reference

Depswright is configured via a depswright.yml file at the root of your repository. This file is versioned with your code and reviewed in pull requests.

Full schema

version: 1                   # required; use 2 for schema v2 (0.8.5+)
schema_version: 2            # required if version: 1 present

policy:
  license:
    deny: ["AGPL-3.0", "GPL-2.0", "SSPL-1.0"]
    warn: ["LGPL-2.1"]
    allow: ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"]
  maintainer_health:
    fail_below: 20           # score 0-100; fail CI if below this
    warn_below: 40           # warn in PR annotation if below this
  conflicts:
    fail_on: semver_incompatible  # or: none | any_version_drift

monitor:
  schedule: "0 9 * * *"     # cron syntax; default: daily at 9am UTC
  notify:
    slack_webhook: "${{ secrets.SLACK_HOOK }}"
    email: [email protected]
    jira:
      project: ENG
      issue_type: Bug

ci:
  fail_on: critical          # critical | warning | none
  annotate_pr: true
  post_summary: true

License policy

The policy.license block defines which licenses are allowed, warned, or denied in the dependency graph.

License identifiers use SPDX format.

Maintainer health thresholds

Health scores run from 0 to 100. A score of 0 means the project is effectively abandoned. A score of 100 means very active, responsive maintainers.

Score factors: commit cadence (last 12 months), open issue response time, number of contributors, download trajectory, and presence of CI on the upstream repo.

v1 → v2 migration

Depswright 0.8.5 introduced schema_version: 2. The main change is the policy.license block replacing the old allowed_licenses array.

Before (v1)

allowed_licenses:
  - MIT
  - Apache-2.0
  - BSD-3-Clause
denied_licenses:
  - AGPL-3.0

After (v2)

schema_version: 2
policy:
  license:
    allow: ["MIT", "Apache-2.0", "BSD-3-Clause"]
    deny: ["AGPL-3.0"]

The CLI will warn if you run a v0.8.5+ version against a v1 config file. Use depswright migrate to auto-convert.

Quickstart API Reference