Rule: Dependency downgrade detection (dependency-downgrade)

[ddjain]

Rule: Dependency Downgrade Detection

Overview

Flags when dependencies are downgraded (version goes from higher to lower), which may indicate security fixes or breaking changes.

Label Metadata

• Label Name: dependency-downgrade
• Color: d73a4a (Red)
• Description: Dependency version downgraded

Detection Logic

Parse version changes in dependency files:

1. Extract old version (line with -)
2. Extract new version (line with +)
3. Compare versions using semantic versioning
4. If new < old → downgrade detected

Version Comparison

• Semantic versioning: major.minor.patch
• Handle pre-release versions: 1.2.3-alpha
• Handle version ranges: ^1.2.3 → extract base version
• Handle git/svn dependencies: ignore (cannot compare)

Example Code That Triggers

- "express": "^4.18.0",
+ "express": "^4.17.0",

- "lodash": "4.17.21",
+ "lodash": "4.17.20",

Example Code That Does NOT Trigger

- "express": "^4.17.0",
+ "express": "^4.18.0",

Test Cases Needed

• Detects major version downgrade
• Detects minor version downgrade
• Detects patch version downgrade
• Handles version ranges (^, ~, >=)
• Ignores upgrades
• Handles pre-release versions
• Ignores git/svn dependencies

Edge Cases

• Version with build metadata (1.2.3+build)
• Range changes (^1.2.0 to ^1.1.0 vs ^1.2.0 to 1.2.0)
• Dependency removed entirely (not a downgrade)
• Pinning floating version (not downgrade)

Integration Notes

• Requires dependency file parsing (depends on dependency-change rule)
• Consider checking changelog/commit message for context
• May want to combine with new-dependency for comprehensive tracking

Priority

Medium - Important for security/compatibility awareness

---

Status: Not implemented
Category: Code & Dependencies