# Depo
## A universal dependency manager for Spigot/Paper plugins
---
## What is Depo?
Depo automatically detects missing plugin dependencies on your server and fetches them from trusted sources so you don't have to. On startup it scans your /plugins folder, reads plugin.yml depend/softdepend, and (optionally) downloads missing dependencies into /plugins/.
## Key points
- Scans installed plugins and collects `depend:` and `softdepend:`
- Resolves and downloads dependencies from **Modrinth** (preferred) and **Spiget** (fallback)
- Respects platform (Paper/Purpur/Spigot) and MC version when querying Modrinth
- Configurable behavior: auto-download toggle, repository priority, manual URL overrides, aliases, version constraints, categories, download progress, soft dependency policy, HTTP timeouts, colored logs, i18n via messages.yml
- Manual install commands: direct URL and GitHub latest release (shortcuts: `/depo s`, `/depo dl`)
- Async scanning/downloading — does not block server startup
- Persistent install log at `plugins/Depo/installed.log`
- Optional SHA-256 checksum validation (per plugin)
- Version constraint enforcement & dependency tree visualization (`/depo tree`)
- Conflict detection and interactive resolution (`/depo resolve
`)
- Optional dependencies (softdepends) listed separately; install selectively via `/depo soft` (no auto-download by default)
- Numbered soft dependency list with multi-select installation (indices or names)
- Download progress feedback (throttled) for larger files
- Update checker (notify-only)
- Metrics via bStats (configurable)
- Security toggle to block non-HTTPS downloads
- No hot-loading — restart required after installs
---
## Supported
- Engines: Purpur, Paper, Spigot (Bukkit-compatible)
- Java: 17+
- MC: 1.20.x and newer (where API-compatible)
---
## Installation
1. Place `Depo.jar` into your server's `/plugins` folder.
2. Start the server once to generate `plugins/Depo/config.yml`.
3. (Optional) Adjust config: repository priority, overrides, aliases, checksums, colored logs, security.
4. Restart if Depo installs anything (it never hot-loads).
---
## How it works
- Depo scans all JARs in `/plugins`, reads `plugin.yml`, and builds a required dependency set.
- It compares against installed plugin names plus any `provides:` entries and configured `aliases`.
- Missing dependencies are resolved using Modrinth (filtered by loader + MC version) then Spiget.
- Downloaded JARs are validated to contain a matching plugin.yml (`name` or `provides`); optional checksum can be enforced.
---
## Commands
- `/depo status` — Summary including categories, conflicts, queue, and separated soft dependencies.
- `/depo reload` — Reloads Depo config.
- `/depo download direct ` — Download a JAR from a direct link (validated, no hot-load).
- `/depo download github [assetFilter]` — Download the first matching .jar from GitHub's latest release (optionally filtered by asset name).
- `/depo tree` — Show per-plugin declared dependencies with constraint annotations.
- `/depo resolve >` — Manage version conflicts.
- `/depo soft list` — List optional (soft) dependencies with numbering.
- `/depo soft install ` — Install one, many, or all optional dependencies.
## Shortcuts
- `/depo s` — status
- `/depo dl` — download
## Permissions
- `depo.use` — Use base commands (default: op)
- `depo.notify` — Receive install notifications (default: op)
- `depo.download` — Parent for download subcommands (default: op)
- `depo.download.direct` — Use /depo download direct (default: op)
- `depo.download.github` — Use /depo download github (default: op)
---
## Configuration
config.yml
```yaml
# If false, Depo only logs missing dependencies and will not download them.
auto-download: true
# If true, soft dependencies (softdepend) are also auto-downloaded.
# Default false: only hard 'depend' entries auto-download; soft ones are reported.
auto-download-soft: false
# Optional automatic update of already-installed dependencies (reserved for future use).
auto-update: false
# Repository priority. Valid values: [modrinth, spiget]
repository-priority:
- modrinth
- spiget
# Manual overrides for specific dependency names -> direct JAR URL
overrides: {}
# Aliases: treat a dependency name as provided by another installed plugin name
aliases: {}
# Optional checksums: map plugin name to lowercase hex SHA-256 to validate downloads
checksums: {}
# Semantic version constraints: name -> constraint expression
version-constraints: {}
# Optional plugin categories (for status grouping)
categories: {}
# Show download progress (approximate) in console for large files
download-progress: true
# HTTP timeouts (ms)
http:
connect-timeout: 10000
read-timeout: 30000
# Colored console output
colored-logs: true
metrics:
enabled: true
service-id: 0
update-checker:
enabled: true
security:
block-insecure-downloads: true
config-version: 4
```
---
## Examples
- Auto-resolve: Start server; Depo will report and download missing dependencies (if `auto-download` is true).
- Manual direct: `/depo download direct https://example.com/Plugin-1.0.jar`
- Manual GitHub: `/depo download github Owner/Repo paper` (filters asset name containing "paper").
- Aliases: If a plugin provides Vault under a different name, map it:
```yaml
aliases:
Vault: ComplexVault
```
---
## Safety
- Trusted sources only: Modrinth (preferred), Spiget (fallback)
- Validates plugin.yml inside downloaded JAR (name/provides must match)
- Optional checksum verification per plugin
- Security option to block plain HTTP URLs
- No hot-loading — restart required
---
## Troubleshooting
- A dependency keeps re-downloading — ensure another plugin isn't already providing it. Use `aliases` to map the required name to the installed provider, or ensure the provider's plugin.yml includes `provides:`.
- Nothing downloads — set `auto-download: true`, check network, and review console for Depo logs.
- GitHub asset not found — specify an `assetFilter` matching the .jar asset name.
---
## Notes
- Depo is designed for admins who want consistent dependency resolution without hunting links.
- Auto-update is intentionally disabled by default and not yet implemented.
## Support
For questions, feedback, or issue reports, please use the resource discussion or join our Discord Server.
Join our Discord!
