Dependency Analysis Patterns

Dependency Graph Visualization

# npm
npx depcruise --output-type dot src/ | dot -T svg > deps.svg

# Python
pipdeptree --graph-output svg > deps.svg

# Go
go mod graph | modgraphviz | dot -T svg > deps.svg

Circular Dependency Detection

# JavaScript/TypeScript
npx madge --circular src/
npx dpdm --circular src/index.ts

# Python
pydeps --cluster --no-show src/

Fix Strategies

Circular Tip	Çözüm
A → B → A	Interface/port ile inversion
A → B → C → A	Shared module extract et
Barrel file circular	Direct import kullan

CVE Scanning

# npm
npm audit --json | jq '.vulnerabilities | to_entries[] | select(.value.severity == "critical")'

# pip
pip-audit --format json --desc

# Go
govulncheck ./...

# Multi-tool
trivy fs --severity CRITICAL,HIGH .

CVE Prioritization

CVSS	Severity	Aksiyon	SLA
9.0+	Critical	Hotfix	24h
7.0-8.9	High	Sprint fix	1 hafta
4.0-6.9	Medium	Backlog	1 ay
<4.0	Low	Track	Fırsatçı

License Compliance

# npm
npx license-checker --production --json --failOn "GPL-3.0;AGPL-3.0"

# Python
pip-licenses --format=json --fail-on="GPL-3.0"

License	Commercial OK	Copyleft	Risk
MIT	Evet	Hayır	Düşük
Apache-2.0	Evet	Hayır	Düşük
BSD-3	Evet	Hayır	Düşük
MPL-2.0	Evet	Kısmi	Orta
LGPL	Dikkat	Kısmi	Orta
GPL-3.0	Dikkat	Evet	Yüksek
AGPL-3.0	Dikkat	Evet	Çok yüksek

Update Impact Analysis

# npm - outdated
npm outdated --json

# Semver risk
# patch (0.0.x) → güvenli
# minor (0.x.0) → genelde güvenli
# major (x.0.0) → breaking change riski

# Test after update
npm update <pkg> && npm test

Checklist

• npm audit

  /

  pip-audit

  temiz (critical/high yok)
• License audit pass (GPL yok)
• Circular dependency yok
• Lockfile committed ve güncel
• Unused dependency yok (

  depcheck

  )
• Renovate/Dependabot aktif
• Major version behind ≤1

Anti-Patterns

• Audit warning'leri ignore etmek
• Lockfile commit etmemek
• Pinned version kullanmamak (^, ~)
• License check'siz production dependency
• Dependency update'siz 6+ ay