Dependency Intelligence

Know when your
deps start drifting.

DepWatch scans any GitHub repository and delivers transparent health reports — risk scores, evidence signals, and actionable recommendations for every dependency.

Star on GitHub See how it works →
$ pip install depwatch-cli
3+
Signal types
0–10
Risk score scale
MIT
Open source
depwatch — bash
pydantic HEALTHY · 0/10
Last commit: 0d ago · Contributors: 100+
unmaintained-sdk RISKY · 9/10
Last commit: 340d ago · Contributors: 1
legacy-parser WARNING · 5/10
Last release: 130d ago · Open issues: 50+
requests HEALTHY · 1/10
Last release: 12d ago · Contributors: 50+
The Problem

Hidden risk in
plain sight.

Dependencies become unmaintained silently. There's no alarm when the last commit was eight months ago, or when a library's sole maintainer stopped responding. Your build stays green while technical debt accumulates.


DepWatch surfaces that invisible drift — before it becomes a CVE, a breaking change, or a production incident.

Capabilities

Built for
signal fidelity.

Multi-signal analysis

Commit history, release cadence, contributor count, and issue activity — combined into one coherent health signal that reflects true maintenance state.

pydantic
0/10
click
4/10
old-utils
8/10
httpx
1/10

Confidence levels

High / Medium / Low based on how many signals agree. Not all risk is equal — DepWatch tells you how sure it is.

Actionable output

Clear recommendations: no action, monitor, evaluate alternatives, or migrate now. No ambiguity about next steps.

Rich CLI output

Color-coded panels with detailed breakdowns. Designed to be readable at a glance in any terminal workflow.

REST API

FastAPI backend for programmatic access. Integrate health scores into your CI pipeline or internal tooling.

Multi-format parsing

Parses requirements.txt, package.json, and pyproject.toml — Python and Node projects covered.

Process

From repo URL
to risk clarity.

step 01

Scan repository

Point DepWatch at any GitHub URL. It fetches and parses your dependency manifest — requirements.txt, package.json, or pyproject.toml.

01
02
step 02

Gather signals

For each dependency, DepWatch queries the GitHub API — pulling commit recency, release dates, contributor counts, and issue activity.

step 03

Score the risk

A weighted scoring engine turns raw signals into a 0–10 risk number. Stale commits, solo maintainers, and abandoned releases all contribute.

03
04
step 04

Surface insights

Rich terminal panels show every signal, the confidence level, and a clear recommendation. No raw data to interpret — just actionable output.

Methodology

Transparent
scoring model.

No black boxes. Every point in the risk score traces back to a specific, observable signal from the repository.

Risk factor weights
No commits in 90+ days +3
📦 Releases stale 120+ days +3
🚫 No official releases ever +1
👤 Low contributor count (<2) +2
🧊 Stagnant issues (50+, no activity) +2
👥 Large maintainer base (10+) −2
Confidence levels
High confidence 3+ signals agree

Multiple independent signals point the same direction. The risk assessment is reliable.

Medium confidence 2 signals agree

Two signals align but others are neutral or absent. Treat this as an early warning.

Low confidence 1 weak signal

Only one signal triggered. Worth monitoring, but not a clear risk signal yet.

Open Source

Built in the
open. Always.

DepWatch is MIT-licensed and community-driven. The scoring methodology is visible, the code is readable, and contributions are welcome.

MIT License GitHub hosted Community driven Python · FastAPI
View on GitHub Contribute
Contribution activity
QUICK START
$ git clone github.com/pranavkp71/DepWatch
$ pip install -e ".[dev]"
$ depwatch scan <repo-url>

Stop flying blind
on dependencies.

One command. Full visibility. Know exactly what needs attention before it becomes a problem.

Star on GitHub View on PyPI →