A bash script that scans all repositories in a GitHub organization or personal account to find which repos use a specific package below a given version.
Managing dependencies across dozens (or hundreds) of repositories is challenging:
- Upgrade planning: Before a major version bump, know exactly which repos need updating
- Security audits: Quickly find repos using a vulnerable package version
- Dependency tracking: Get a unified view of package versions across all your projects
GitHub's built-in tools (Dependency Graph, Dependabot) work per-repository, but don't provide a simple way to query "which repos use package X below version Y" across your entire organization.
This script fills that gap.
- Scans all repositories in a GitHub organization or personal account
- Supports Composer (PHP) and Node (JavaScript) dependencies
- Interactive mode or CLI flags for automation
- Rate limiting to avoid GitHub API limits
- Colored output with progress indicator
- Shows repo visibility (public/private)
- Handles missing dependency files gracefully
- GitHub CLI (gh) - must be installed and authenticated
- jq - JSON parser
# macOS
brew install gh jq
# Authenticate GitHub CLI
gh auth loginSimply run the script without arguments:
./gh-dep-scanner.shYou'll be prompted for:
- GitHub URL (org or personal)
- Dependency type (composer/node)
- Package name
- Minimum version to check against
- Branch (optional)
./gh-dep-scanner.sh [OPTIONS]
Options:
--url <url> GitHub URL (org or personal repos page)
--type <type> Dependency type: "composer" or "node"
--package <name> Package name to search for
--below <version> Find packages below this major version
--branch <name> Optional: specific branch to check (default: repo's default)
--delay <seconds> Optional: delay between API requests (default: 1)
--help Show help message./gh-dep-scanner.sh \
--url "https://github.com/orgs/YOUR_ORG/repositories" \
--type composer \
--package livewire/livewire \
--below 4./gh-dep-scanner.sh \
--url "https://github.com/USERNAME" \
--type node \
--package react \
--below 18./gh-dep-scanner.sh \
--url "https://github.com/orgs/MyOrg/repositories" \
--type composer \
--package laravel/framework \
--below 10 \
--branch develop./gh-dep-scanner.sh \
--url "https://github.com/orgs/LargeOrg/repositories" \
--type composer \
--package symfony/console \
--below 6 \
--delay 2Scanning YOUR_ORG repositories for livewire/livewire < 4...
Branch: default
REPO URL NAME VERSION VISIBILITY
-------- ---- ------- ----------
https://github.com/YOUR_ORG/project-alpha project-alpha ^3.2 private
https://github.com/YOUR_ORG/client-portal client-portal N/A private
https://github.com/YOUR_ORG/marketing-site marketing-site ~3.1.0 public
================================================================================
Summary:
- Total repos scanned: 25
- Repos with livewire/livewire below v4: 2
- Repos without composer.json: 5
- Repos without livewire/livewire in dependencies: 10
| Color | Meaning |
|---|---|
| Red | Package found below target version |
| Yellow | No dependency file (composer.json/package.json) |
| Cyan | Dependency file exists but package not found |
| Green | All repos at target version or higher |
All of these formats are accepted:
https://github.com/orgs/YOUR_ORG/repositories
https://github.com/orgs/YOUR_ORG
https://github.com/USERNAME?tab=repositories
https://github.com/USERNAME
The script extracts the major version from common constraint formats:
| Constraint | Extracted Major | Below v4? |
|---|---|---|
^3.2 |
3 | Yes |
~3.1.0 |
3 | Yes |
>=3.0 |
3 | Yes |
3.* |
3 | Yes |
^4.0 |
4 | No |
4.1.2 |
4 | No |
* |
0 | Yes (conservative) |
dev-main |
0 | Yes (conservative) |
- Only scans the root dependency file (not monorepo subdirectories)
- Compares major versions only (not minor/patch)
- Maximum ~1000 repos per scan (GitHub API limit)
- Reads
composer.json/package.json, not lock files
MIT License - feel free to use, modify, and distribute.
Contributions are welcome! Feel free to open issues or submit pull requests.