depGraph

Predict dependency failures before they reach production.

DepGraph provides the developer tools and intelligence to build, scale, and secure a faster, more reliable supply chain.

2.4M+
Packages scored
18K+
Risks detected this week
94%
Accuracy on abandoned packages
30s
Average scan time

Works with your existing tools

npm
Full npm ecosystem
GitHub
Repo activity analysis
OSV.dev
CVE database mapping
CI/CD Pipelines
GitHub Actions, GitLab CI
The Hidden Problem

Your dependency graph is bigger than you think.

20 direct dependencies can balloon to 500+ transitive packages. Most of them are never reviewed.

Dependency Tree
Your Application1 app
Your production codebase
Direct Dependencies~20 packages
Packages listed in package.json
Transitive Dependencies200–800 packages
Dependencies of your dependencies
Deep Transitive500+ more packages
The invisible layer nobody audits
73% OF VULNERABILITIES COME FROM TRANSITIVE DEPS
Abandonment Risk
Maintainers stop committing. No releases. No security patches.
Maintainer Compromise
A legitimate package account is hijacked. Malicious code ships as a routine update.
Supply Chain Attacks
Typosquatting and dependency confusion. Malicious PRs merged by inattentive maintainers.
Hidden Technical Debt
Packages locked to old major versions. Migration costs compound every quarter.
Platform Capabilities

Every dimension of dependency risk, in one place.

Built for developers who care about what ships to production. No fluff, just signals.

01 //
Health Scoring Engine
Every package receives a 0–100 score computed across 6 weighted dimensions: maintenance, bus factor, issue health, downloads, CVEs, and dependency freshness.
02 //
Abandonment Detection
Proprietary signals track commit cadence, issue response time, and maintainer activity to predict abandonment 6–12 months before it becomes obvious.
03 //
Supply Chain Monitoring
Real-time monitoring against OSV.dev, GitHub Advisory Database, and NVD. Get alerted the moment a CVE lands in your dependency tree.
04 //
Graph Visualization
Interactive force-directed graph rendering your entire dependency tree. Filter by risk level, drill into transitive chains, spot bottlenecks instantly.
05 //
Migration Intelligence
AI-powered suggestions for safer alternatives, automatically ranked by ecosystem adoption and compatibility.
06 //
CI/CD Integration
One-line GitHub Action. Fail builds on threshold breach, post risk summaries as PR comments, track score over time.
Developer Experience

Works where developers already work.

CLI, GitHub Action, or web dashboard — all three stay perfectly in sync.

CLI //
Instant scan, zero config.
$npx depgraph-scanner check
✓ Scanning 312 packages...
✓ Fetching GitHub activity...
 
Health Score: 42/100 ⚠ HIGH RISK
Critical: 2 High: 5 Medium: 8
 
Report: https://depgraph.dev/r/abc123
GitHub Action //
Block risky merges in CI.
# .github/workflows/depgraph.yml
on: [pull_request]
jobs:
scan:
steps:
- uses: py-kalki/depgraph-action@v1
with:
fail_on: critical
post_comment: true
threshold: 40
Dashboard //
Historical trends, team visibility.
📊 Score history: my-saas-app
 
Jun 10 ████████░░ 82 → Healthy
Jun 3 █████░░░░░ 54 → Medium
May 27 ████░░░░░░ 42 → High ⚠
 
↓ 40pts — event-stream added May 27
Comparison

Why DepGraph is different.

DepGraph
Recommended
Snyk
Dependabot
npm audit
Predictive health scoring
Abandonment detection
Supply chain monitoring
Migration guidance
CI/CD integration
Known CVEs
Historical trends
Team collaboration
Pricing

Start free. No credit card required.

The free tier is genuinely useful — not crippled. Upgrade to Pro when your project needs more.

Free
Everything you need to get started.
₹0/forever
npx depgraph-scanner check on any public project
Up to 3 saved projects
Public repositories only
Health scores + basic risk flags
30-day score history
Weekly email digest
Shareable report URLs
Get started
Most popular
Pro
For developers serious about dependency health.
₹99/month
Everything in Free
Unlimited saved projects
Public + private repositories
365-day score history
Real-time alerts (score drops, CVEs)
On-demand project re-scan
SBOM export (JSON/CycloneDX)
Migration path suggestions
FAQ

Frequently asked questions.

Each package receives a 0–100 composite score weighted across 6 dimensions: maintenance activity (25%), bus factor (20%), issue health (15%), download trend (15%), known CVEs (15%), and dependency freshness (10%). Scores are recalculated daily.

Public repos and npm packages are fully supported on the Free tier. Private repository scanning requires a Pro plan, which uses a GitHub App installation with read-only access. We never store your source code.

Yes. The GitHub Action integrates in one step. You can fail builds on critical risk, set minimum score thresholds, and post detailed PR comments. GitLab CI and other pipelines work via the CLI.

We store package metadata, health scores, and scan history. We never store your source code, private tokens, or environment variables. Scan results for private repos are stored encrypted and deleted on account closure.

In backtesting against 200 known-abandoned packages, our model achieved 94% recall with 87% precision at the 6-month horizon. False positives are surfaced as "maintenance warnings" rather than critical flags.

The CLI scanner and scoring engine are fully open source on GitHub under MIT license. The dashboard and API backend are proprietary. You can self-host the scanner in your own infrastructure.