pkgrank
Ranks nodes in a dependency graph by structural importance (PageRank, betweenness, degree).
Two axes of analysis:
- File-level (
files): which source files are structural hotspots, forming cycles, or high churn risk? Polyglot (Rust, Python, JS/TS, Go), works on any local path or GitHub URL. - Package-level (
analyze): which packages in a dependency tree are most central, most depended-on, most risky to change? Supports Cargo, npm, Python, and Go.
Install
Quick start
# File-level: structural hotspots in any project (no toolchain needed)
# File-level with git churn risk overlay
# Focus on a specific file
# Directory-level aggregation for large codebases
# CI gate: fail on architectural violations
# What files are affected by a change?
# Package-level: rank dependencies by importance (auto-detects ecosystem)
# Blast radius: what breaks if serde changes?
# Upgrade priority: which outdated deps matter most? (Cargo only)
File-level analysis (pkgrank files)
Analyze the import graph within a project. Static parsing (no toolchain required). Works across Rust, Python, JS/TS, and Go.
# Any local project (ecosystem auto-detected)
# Any GitHub repo via URL or shorthand
# Git churn risk: combine structural centrality with change frequency
# Focus on one file: see imports, dependents, co-changers, blast radius
# Directory aggregation for large codebases
# Include test files (excluded by default)
# Cache results for repeated queries
# CI: fail if cycles or layer violations exist
# Affected files: what breaks if these files change?
Output includes:
- Structural role: foundation (high in, low out), hub (high both), consumer (low in, high out), leaf
- Instability:
I = out/(in+out), 0 = stable provider, 1 = unstable consumer - Blast radius: transitive dependents (how many files break if this one changes)
- Cycle detection: Tarjan's SCC, files in cycles marked with
* - Orphan detection: files with no imports and no dependents
- Churn risk (
--git): structural centrality * change frequency. Files marked!!are in the danger zone (central + volatile) - Bus factor (
--git): unique contributors per file - Co-change coupling (
--git): files that change together in commits - Layer violations: detects when stable files import from unstable files (Clean Architecture dependency rule)
- External deps: which third-party packages each file imports
Cross-project queries via SQLite (auto-enabled):
For JS/TS projects, resolves tsconfig.json path aliases (@/, etc.) and npm workspace packages (@scope/pkg). Detects cross-language seams (PyO3, NAPI) between Rust and Python/JS.
Package-level analysis (pkgrank analyze)
Rank packages in a dependency graph by centrality. Auto-detects ecosystem from directory contents.
# Auto-detect: finds Cargo.toml, package-lock.json, uv.lock, or go.mod
# Explicit ecosystem override
# Choose metric
# JSON output
Graph model: nodes are packages, directed edges are $A \to B$ iff package A depends on package B.
Interpretation:
- PageRank on the depends-on graph surfaces shared dependencies / substrate packages.
- Consumer PageRank (reversed graph) surfaces top-level orchestrators / consumers.
Blast radius
Show everything that transitively depends on a package:
Output is sorted by BFS depth (closest dependents first), then by PageRank within each depth level.
Upgrade priority (Cargo only)
Combine cargo outdated with centrality ranking to prioritize which upgrades matter most:
Requires cargo-outdated. Scores each outdated dep by 10*ln(dependents+1) + 1000*pagerank + urgency_bonus.
TLC score
The triage and view commands produce a TLC (Top-Level Cost) score for each crate and repo:
- Blast radius:
10 * ln(transitive_dependents + 1) - Centrality:
1000 * pagerank - Boundary complexity: number of third-party dependencies
Higher TLC = more structurally important and/or more exposed. It is a triage signal, not a quality metric.
Cargo workspace tools
These subcommands use cargo metadata and are specific to Rust/Cargo workspaces.
| Command | What it does |
|---|---|
sweep-local |
Run pkgrank across a local multi-repo workspace, write per-repo artifacts |
view |
One-shot HTML + JSON snapshot (local sweep + optional crates.io crawl) |
triage |
Artifact-backed triage bundle (same payload as MCP pkgrank_triage) |
cratesio |
Build a crates.io dependency graph and rank it |
Module-level analysis (Rust only)
pkgrank modules shells out to cargo-modules and ranks items by coupling. This is intra-package analysis: which modules, types, or traits inside a single crate are the coupling hotspots?
CLI defaults include types + traits (functions hidden). MCP defaults are more conservative; use preset like file-api or file-full for the CLI-like view.
JSON output shape (stable wrapper)
For commands that support --format json, the JSON is wrapped for forwards-compatible parsing:
Auto-JSON when piped
When stdout is not a TTY, output defaults to JSON. This makes pkgrank composable with jq without requiring --format json.
MCP stdio server
pkgrank mcp-stdio runs an MCP server over stdio for integration with Cursor and other editors.
Toolset selection:
- Default: slim (small tool surface)
PKGRANK_MCP_TOOLSET=full: advanced tools (module/type graph, polyglot, files)PKGRANK_MCP_TOOLSET=debug: internal artifact-inspection tools
Configurable invariant rules
Cross-axis dependency rules are loaded from dev_repos_overview.json (under --root at evals/arch/dev_repos_overview.json). Add a forbidden_edges array:
Tests
- Default test suite is offline/deterministic, uses local targets.
- URL-backed tests (crates.io crawl) require
PKGRANK_E2E_NETWORK=1.
Non-goals
- Security / advisory analysis: use
cargo auditorcargo deny. - Graph visualization: output is ranked tables and JSON. Use
cargo-depgraphor Graphviz. - Circular dependency breaking: cycles are detected but no suggestions for breaking them.
- License compliance: no license analysis.
- Build / test / deploy: pkgrank analyzes structure, not execution.
Dependencies
- Centrality algorithms delegated to
graphops(PageRank / PPR / betweenness / reachability).