Depmender vNext: Introducing the New Config Folder (Full Custom Control for Your Project)

Source: Dev.to

We’re excited to introduce a major improvement in Depmender — the brand‑new config folder system.
When you run:

depmender init

Depmender automatically creates a dedicated configuration folder containing depmender.config.js. This file gives you full control over how Depmender scans, fixes, reports, and integrates with your workflow.

What’s Inside depmender.config.js?

The config file is divided into three powerful sections:

Scanning Rules (rules)

Control how strict Depmender should be while scanning dependencies.

• maxOutdatedDays – Define what “too old” means.

maxOutdatedDays: 90   // Default – packages older than 90 days flagged
maxOutdatedDays: 30   // Strict mode
maxOutdatedDays: 180  // Relaxed mode

• allowedVulnerabilities – Ignore specific severity levels.

allowedVulnerabilities: []               // No ignored severities
allowedVulnerabilities: ['low']        // Ignore low severity
allowedVulnerabilities: ['low','moderate']

• excludePackages – Skip specific packages (wildcard support).

excludePackages: [
  '@types/*',
  'eslint-*',
  'react',
  'lodash',
  'webpack-*'
]

• includeDev – Scan devDependencies or not.

includeDev: true   // Default
includeDev: false   // Production‑only scan

Auto‑Fix Settings (autoFix)

Control how Depmender applies fixes.

• enabled – Turn automatic fixes on/off.

enabled: false // Safe (default)
enabled: true  // Fully automatic

• confirmBeforeFix – Ask before applying fixes.

confirmBeforeFix: true
confirmBeforeFix: false

• backupBeforeFix – Create a backup before changes.

backupBeforeFix: true  // Recommended
backupBeforeFix: false

• maxRiskLevel – Set the risk tolerance.

maxRiskLevel: 'low'
maxRiskLevel: 'medium'   // Default
maxRiskLevel: 'high'
maxRiskLevel: 'critical'

Output Customization (output)

Customize how Depmender reports results.

• format – Choose output style.

format: 'minimal'
format: 'detailed'  // Default
format: 'json'      // Ideal for CI/CD

• showSuccessMessages

showSuccessMessages: true
showSuccessMessages: false

• colors – Enable or disable colored output.

colors: true   // Default
colors: false  // Better for CI pipelines

Why This Update Matters

• Define project‑specific scanning rules.
• Control auto‑fix behavior.
• Customize output format.
• Exclude specific packages.
• Set vulnerability tolerance levels.
• Separate production and development scanning.
• Align the tool with your team’s workflow.

Depmender is no longer just a scanning tool — it’s now a fully customizable dependency‑management system.

Final Thoughts

Every project is different. Some teams prefer strict dependency policies, others need flexibility, and many require CI/CD automation. With the new depmender.config.js, you’re in full control, making Depmender:

• More scalable
• More team‑friendly
• More automation‑ready
• Production‑aware
• Enterprise‑capable

GitHub Repo