Remember when colors and faker broke thousands of builds overnight in January 2022? Or when event-stream was compromised with crypto-stealing malware? Or the infamous left-pad incident that took down React and Babel?
These weren't security vulnerabilities in the traditional sense. They were maintainer problems — and traditional tools like npm audit couldn't have caught them.
The Problem
I manage dependencies for several production applications, and I got tired of being blindsided by:
- Packages that suddenly stop being maintained
- Single-maintainer projects where one person holds all the keys
- Subtle signs of abandonment that only become obvious in hindsight
So I built PkgWatch — a dependency health intelligence platform that predicts these problems before they happen.
How It Works
PkgWatch analyzes packages across multiple signals:
| Component | What It Measures |
|---|---|
| Maintainer Health | Commit recency, true bus factor (not just contributor count) |
| Evolution | Release frequency, commit activity patterns |
| Security | OpenSSF Scorecard, vulnerability history |
| Community | Contributor diversity, issue response times |
| Adoption | Downloads, dependents, stars |
Each package gets a health score from 0-100 and a risk level (LOW, MEDIUM, HIGH, CRITICAL).
Example: Checking a Package
# Install the CLI
npm install -g @pkgwatch/cli
# Check a package
pkgwatch check lodash
Output:
lodash (npm)
Health Score: 72/100
Risk Level: MEDIUM
Maintainer Health: 65 (1 active maintainer in last 90 days)
Evolution: 58 (Last release: 8 months ago)
Security: 85 (OpenSSF: 6.2/10)
Community: 78 (142 contributors)
Scanning Your Project
# Scan all dependencies in package.json
pkgwatch scan
# Fail CI if any HIGH risk packages are found
pkgwatch scan --fail-on HIGH
GitHub Action Integration
- uses: Dlaranjo/pkgwatch/action@v1
with:
api-key: ${{ secrets.PKGWATCH_API_KEY }}
fail-on: HIGH
Try It Free
- Live Demo — Try it without signing up (20 requests/hour)
- Free Tier — 5,000 requests/month, no credit card required
- Documentation — Full API reference
What's Next
I'm actively working on:
- More package registries (PyPI is already supported, Cargo/Go coming soon)
- Historical trend analysis
- Slack/Discord notifications for health changes
Would love to hear your feedback! What signals would you want to see tracked?
Links:
Top comments (0)