Metadata-Version: 2.4
Name: ruckup
Version: 0.9.1
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Rust
Classifier: License :: OSI Approved :: MIT License
License-File: LICENSE
Summary: Check and update dependencies across Cargo, npm, and pyproject projects
License: MIT
Requires-Python: >=3.8
Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
Project-URL: Homepage, https://github.com/ruckc/ruckup
Project-URL: Repository, https://github.com/ruckc/ruckup

# ruckup

> One command to check and update dependencies across **Cargo, Docker, GitHub Actions, npm, and Python** — all at once.

`ruckup` auto-detects your project's manifest files and checks every dependency against its upstream registry. Run it in any repo — even polyglot monorepos — and get a unified view of what's outdated. Then apply updates interactively or all at once.

## Installation

### cargo

```bash
cargo install ruckup
```

### npm / pnpm / yarn / bun

```bash
npm install -g ruckup
# or
pnpm add -g ruckup
# or
yarn global add ruckup
# or
bun add -g ruckup
```

### pip / uv / pipx

```bash
pip install ruckup
# or
uv tool install ruckup
# or
pipx install ruckup
```

### Pre-built binaries

Download the latest binary for your platform from the [GitHub Releases page](https://github.com/ruckc/ruckup/releases), extract it, and place it on your `PATH`.

| Platform | Archive |
|---|---|
| Linux x86\_64 (glibc) | `ruckup-linux-x64.tar.gz` |
| Linux x86\_64 (musl) | `ruckup-linux-x64-musl.tar.gz` |
| Linux arm64 (glibc) | `ruckup-linux-arm64.tar.gz` |
| Linux arm64 (musl) | `ruckup-linux-arm64-musl.tar.gz` |
| macOS arm64 (Apple Silicon) | `ruckup-darwin-arm64.tar.gz` |
| macOS x86\_64 | `ruckup-darwin-x64.tar.gz` |
| Windows x86\_64 | `ruckup-win32-x64.zip` |
| Windows arm64 | `ruckup-win32-arm64.zip` |

### Build from source

```bash
git clone https://github.com/ruckc/ruckup.git
cd ruckup
cargo install --path .
```

## Features

- **Auto-detection** — scans the current directory for all supported manifest files
- **Multi-ecosystem** — one tool for Cargo, Docker, GitHub Actions, npm, and Python
- **Interactive updates** — multi-select prompt lets you pick exactly what to bump
- **Bulk updates** — `--all` flag skips prompts and applies everything
- **Flexible filtering** — scope work to a specific ecosystem or package name
- **Upgrade intelligence reports** — generate text/markdown/html/pdf reports with SCM diff links, changelog links, security resources, and supply-chain deltas where available
- **Lockfile-aware** — respects npm peer dependency constraints
- **Configurable** — per-project `.ruckuprc` plus global config and env var overrides

## Supported Manifests

| Ecosystem | Files |
|---|---|
| **Cargo** | `Cargo.toml` — `[dependencies]`, `[dev-dependencies]`, `[build-dependencies]` |
| **Docker** | `Dockerfile`, `Dockerfile.*`, `docker-compose.yml`, `docker-compose.yaml`, `compose.yml`, `compose.yaml` |
| **GitHub Actions** | `.github/workflows/*.yml` — `uses: owner/repo@ref` |
| **npm / pnpm / yarn** | `package.json` (lockfile-aware) |
| **Python** | `pyproject.toml` (uv, Poetry, PEP 621), `requirements.txt` |

## Usage

```
Usage: ruckup [OPTIONS] [COMMAND]

Commands:
  check   Check for available dependency updates (default)
  update  Interactively select and apply dependency updates
  list    List detected dependency files and their dependencies
  report  Generate upgrade intelligence reports

Options:
  -o, --only <ONLY>      Comma-separated list of ecosystems to check
                         (cargo, docker, github-actions, npm, pyproject, requirements)
  -f, --filter <FILTER>  Filter to specific dependency names
  -h, --help             Print help
  -V, --version          Print version
```

`check` is the default command, so `ruckup` and `ruckup check` are equivalent.

## Examples

```bash
# Check everything in the current directory
ruckup

# Check only Cargo dependencies
ruckup --only cargo

# Check only GitHub Actions workflow pins
ruckup check --only github-actions

# Check npm packages and filter to a specific name
ruckup check --only npm --filter react

# Check multiple ecosystems at once
ruckup check --only cargo,npm --filter serde,clap

# List all detected dependencies without hitting registries
ruckup list

# Interactively choose which updates to apply
ruckup update

# Apply all available updates without prompts
ruckup update --all

# Generate a markdown report for all upgrade candidates
ruckup report

# Generate HTML + PDF reports and open in your browser
ruckup report --format html,pdf --open

# Generate a scoped report for one ecosystem + dependency
ruckup report --only npm --filter react --format text,markdown
```

## Upgrade Intelligence Report Coverage

| Scope | Included in report | Notes |
|---|---|---|
| All upgradable dependencies | Current version, latest version, semver impact (`breaking`, `feature`, `bugfix`) | Generated by `ruckup report` |
| SCM diffs | Compare links when repository metadata can be resolved (best with GitHub-hosted projects) | Falls back to registry/package pages when SCM is unavailable |
| Changelog context | Release/changelog/homepage links where available from package metadata | Depends on upstream metadata quality |
| Security context | Links to ecosystem security resources (for example OSV, deps.dev, Snyk, RustSec, Docker/GitHub security pages) | Link set varies by plugin/ecosystem |
| Supply-chain delta | Added/removed/changed transitive dependencies when version metadata exposes dependency graphs | Strongest support today for npm, crates.io, and PyPI |
| Output formats | `text`, `markdown`, `html`, `pdf` | Use `--format` with one or more values |
| Scope controls | Everything, specific dependency, or specific plugin | Use `--filter` and `--only` |

### Update shortcut

During interactive `ruckup update`, press `r` before selecting packages to generate and open a consolidated HTML report across all detected plugins and their pending upgrades.

## Configuration

Configuration is resolved in this order (later entries win):

1. Built-in defaults
2. `~/.ruckuprc` (global)
3. `./.ruckuprc` (project)
4. `RUCKUP_*` environment variables

Both TOML and JSON formats are supported for `.ruckuprc`.

### Settings

| Setting | Env var | Default | Description |
|---|---|---|---|
| `preserve_range` | `RUCKUP_PRESERVE_RANGE` | `true` | Keep existing version range prefixes when updating |
| `cargo_concurrency` | `RUCKUP_CARGO_CONCURRENCY` | `4` | Concurrent crates.io requests |
| `npm_concurrency` | `RUCKUP_NPM_CONCURRENCY` | `16` | Concurrent npm registry requests |
| `pypi_concurrency` | `RUCKUP_PYPI_CONCURRENCY` | `10` | Concurrent PyPI requests |
| `github_actions_concurrency` | `RUCKUP_GITHUB_ACTIONS_CONCURRENCY` | `8` | Concurrent GitHub API requests |
| `docker_concurrency` | `RUCKUP_DOCKER_CONCURRENCY` | `8` | Concurrent Docker Hub requests |

### Example `.ruckuprc`

```toml
preserve_range = true
cargo_concurrency = 5
npm_concurrency = 16
pypi_concurrency = 10
github_actions_concurrency = 8
docker_concurrency = 8
```

### Environment variable examples

```bash
RUCKUP_PRESERVE_RANGE=false ruckup update --all
RUCKUP_NPM_CONCURRENCY=8 ruckup check --only npm
RUCKUP_DOCKER_CONCURRENCY=4 ruckup check --only docker
```

## Notes

- Docker support targets Docker Hub images with semver-like tags; unsupported registries and floating tags are listed but not upgraded.
- npm output includes peer dependency conflict reporting so you can see what is blocking an upgrade.
- GitHub Actions updates rewrite pinned `uses: owner/repo@ref` references; floating refs like `stable` are left alone.
- Python detection only activates for `pyproject.toml` files that declare Python dependencies.
- `requirements.txt` packaging directives (editable installs, direct URLs, pip flags) are intentionally ignored.
- Supply-chain deltas are generated where upstream metadata is available (currently strongest for npm, crates.io, and PyPI packages).

## License

MIT — see [LICENSE](LICENSE).

