Most teams find out their dependencies are risky after something breaks. A maintainer disappears, a vulnerability sits unpatched for months, or a single package with one contributor becomes a hidden outage waiting to happen. I wanted a tool that told you this stuff before it became a problem.
So I built depgraph — an open-source dependency intelligence platform that crawls npm, PyPI, and Cargo registries, builds a live risk-scored dependency graph, and tells you exactly which packages in your supply chain are about to cause you pain.
What it does
Risk scoring across 6 dimensions
Every package gets scored on security (open advisories, CVSS scores), maintenance (commit recency, release cadence), compatibility (semver violation rate), concentration (bus factor, single-maintainer risk), blast radius (how many downstream packages break if this one changes), and operational health (issue response latency, PR merge time).
These combine into a single composite score with full explanations — not just a number, but "35% because maintainer activity fell 80% in 120 days."
Interactive dependency graph
Built with Cytoscape.js. Click any package to see its full transitive dependency tree, blast radius stats, and which packages it would take down if it disappeared. Chokepoint detection highlights the packages that are structurally too central to ignore.
Policy engine with CI gate
Define rules like "block packages with one maintainer and no release in 180 days" or "require approval for anything with 500+ downstream dependents." A GitHub Action runs the policy check on every PR and fails the build on violations — with a formatted comment showing exactly what triggered and how to fix it.
Abandonment detection
Time-series signals track commit frequency trends, maintainer count decay, and bus factor over time. A weighted model produces an abandonment probability score per package so you can see which ones are quietly dying before they become your problem.
Historical snapshot diffs
Every scan creates a full risk snapshot. Compare any two snapshots to see which packages degraded, which improved, what new vulnerability chains appeared, and how your overall supply chain health changed over time.
Tech stack
TypeScript monorepo with pnpm workspaces. Hono API, React + Vite frontend, PostgreSQL + Drizzle ORM, BullMQ workers, MinIO for raw storage. Fully self-hostable — one docker compose up and you're running. Zero paid services required.
Supports npm, PyPI, and Cargo with a shared normalization layer that maps all three ecosystems to a canonical data model.
Running it locally
bashgit clone https://github.com/zaydmulani09/depgraph
cd depgraph
pnpm install --ignore-scripts
cp .env.example .env
docker compose up -d
pnpm db:migrate
pnpm --filter @depgraph/api dev &
pnpm --filter @depgraph/crawler dev &
pnpm --filter @depgraph/ui dev
Open localhost:5173. The crawler seeds 10 packages immediately and starts processing — within a few minutes you'll see risk scores, graphs, and explanations populating in the UI.
What I learned building this
The hardest part wasn't the risk scoring or the UI — it was maintaining a living graph. Getting data once is easy. Keeping it fresh, detecting drift, diffing snapshots, and making all of that fast enough to be useful is where the real complexity lives.
The second hardest part was normalization. npm, PyPI, and Cargo all have wildly different versioning semantics, dependency specifier formats, and registry API shapes. Building a canonical model that works cleanly across all three took longer than any other single component.
Check it out, open issues, and PRs are welcome.
GitHub: https://github.com/zaydmulani09/depgraph
Top comments (0)