July 13, 2026 · Kryptorious Tools
Your code imports a package. Your requirements.txt never declared it. On your machine it works — because the package is already in the environment from something else. Then a teammate runs a clean pip install -r requirements.txt and the build dies on ModuleNotFoundError. Nobody changed anything. The bug was there the whole time; the dirty environment just hid it.
That is dependency drift: the gap between what your project declares and what it actually uses. It is silent because a contaminated local environment passes every check until a clean install exposes it.
The cross-ecosystem auditor kryptorious-depguard (verified live on PyPI, HTTP 200 — v1.1.1, MIT, requires Python >=3.10, Beta) catches four classes your linter can't see:
import requests with no requests in requirements.txt. Breaks in a clean install.requirements.txt / package.json but never imported. Bloats installs and attack surface.numpy (any) or ^1.2.3 (floating). Non-reproducible builds; the same input yields different outputs depending on the clock.package.json disagrees with package-lock.json / yarn.lock.It is offline and emits SARIF for GitHub code-scanning in one pass. Audit the current directory (both Python and Node):
pip install kryptorious-depguard
depguard check .
The CI gate is controlled by --fail-on {high,medium,low,never}. Default is high: it exits 1 when any high-severity finding exists (undeclared imports). Python-only, with a stricter failure bar:
depguard check . --python --no-node --fail-on high
The package's documented inline Action installs the tool, runs the audit as SARIF, and uploads the result to code-scanning:
- name: Dependency audit
run: |
pip install kryptorious-depguard
depguard check . --format sarif --output depguard.sarif --fail-on high
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: depguard.sarif
A green run means: no undeclared imports, no lockfile drift, no floating specifiers that would have broken the next clean install. The audit runs offline, so it fails closed on network trouble rather than skipping silently.
← Back to Kryptorious Tools Blog
Keep reading: