Flag unmaintained dependencies on various pnpm commands

[mcmxcdev]

• I'd be willing to implement this feature (contributing guide)

Describe the user story

As a developer and OSS contributor, I work with legacy codebases a lot, where it would be helpful to learn about unmaintained / deprecated / archived dependencies in package.json in a simple way to clean them up.

I could imagine that pnpm install, pnpm outdated, pnpm update commands could mark dependencies which haven't had a new release since e.g. 2 years.

The developer can then easily recognize which dependencies should be removed or replaced to avoid CVEs or incompatible code.

Describe the solution you'd like

The functionality could be hidden behind a flag like --markDeprecated

Describe the drawbacks of your solution

It could falsely mark dependencies as deprecated where maintainers are working a long time on new releases in a e.g. next or develop branch.

Describe alternatives you've considered

Going through each dependency and checking for the last release date on npm.

[zkochan]

I think there are many important things we could show and/or highlight. It is debatable whether last release date is a valuable metric.

One of the things I was thinking is to print the package owner's name (or the author's name).

[mcmxcdev]

Definitely.

I can't imagine that a lot of people care tbh.
I am using npm-check a lot, so a link to the GitHub repo changelog makes sense too (which would also include GH username like you want), to be able to check quickly if e.g. breaking changes need some code changes.

[zkochan]

which would also include GH username like you want

The issue is that nothing guaranteed that that username is correct. I can publish a package and set any repository URL. There is no guarantee that the package is published from that repository.

A better solution would be to show the npm user name. In the package metadata each version has a _npmUser field.