Real-time dependency intelligence
Stop shipping broken dependencies
Depswright watches your dependency tree the way a staff engineer would — catching version conflicts, license drift, and abandoned maintainers before they become Monday-morning fires.
$ depswright scan --repo . --format=diff
@acme/data-router 4.2.1 → 4.3.0 [CONFLICT]
└ peer: react-query requires ^4.2.x, found 4.3.0
xml-parse-lite maintainer: ABANDONED
└ last commit: 14 months ago · 47 open issues · bus factor: 1
lodash-extra MIT → AGPL-3.0 [LICENSE CHANGE]
└ detected in v2.1.0, previously MIT in v2.0.x
2 critical 1 warning detected 245 packages healthyThe problems that wake engineers up at 3am
Your dependency tree is lying to you
Most teams don't find out about these until production blows up.
Version conflicts you didn't write
Your direct deps pin lodash at ^4.1. A transitive dep three levels deep quietly resolves to 4.3.0. The mismatch only shows up in production.
License changes you didn't approve
A package your team relies on switches from MIT to AGPL-3.0. Without continuous license scanning, you'll find out when legal does.
Maintainers who went quiet
Last commit 14 months ago. 47 open issues. One contributor. By the time a CVE lands, the maintainer is long gone.
How Depswright works
Real-time analysis across your entire dependency graph
Resolved 847 packages (312 direct, 535 transitive)
├── @acme/data-router 4.2.1
│ ├── react-query 4.3.0 ⚠ peer conflict
│ └── axios 1.6.2 ✓
├── xml-parse-lite 3.1.0 ✗ abandoned
└── lodash-extra 2.1.0 ⚠ license:AGPL-3.0{
"alert_type": "version_conflict",
"severity": "critical",
"package": "@acme/data-router",
"conflict": "peer requires ^4.2.x, resolved 4.3.0",
"introduced_by": "[email protected]",
"recommendation": "pin react-query to 4.2.8"
}🔍 Depswright: 1 conflict detected in this change
- "react-query": "^4.2.0"
+ "react-query": "^4.3.0"
Upgrading to 4.3.x introduces a peer dep conflict with
@acme/[email protected], which requires ^4.2.x.
Recommended: pin to [email protected] or upgrade
@acme/data-router to a version supporting 4.3.x.Platform capabilities
Built for the full dependency lifecycle
Dependency graph analysis
Scans transitive deps — not just direct packages. Follows the full resolution chain to surface hidden conflicts 3-4 levels deep.
depswright scan --depth=full
License compliance
Flags GPL/AGPL/SSPL in commercial codebases. Define your allowed-license policy once; get alerted when any dep drifts out of bounds.
policy.license.deny: ["AGPL-3.0", "GPL-2.0"]
Maintainer health scoring
Scores packages 0–100 based on commit cadence, issue response time, contributor count, and download trajectory. Not just "last commit date".
xml-parse-lite: health_score=12 ⚠
PR-level annotations
Surfaces issues as inline review comments on the relevant diff lines in GitHub, GitLab, and Bitbucket. Fix while the context is still open.
github.annotations: true
Works where your team already works
What engineering leads say
"Caught a GPL license slip in a transitive dep we never would have noticed. Legal team would have been furious."
"Saved us two days debugging a version conflict on deploy day. The PR annotation showed us exactly which package introduced it."
"Maintainer health scores changed how we evaluate new deps. We've stopped onboarding packages with scores below 40."
Start watching your dependencies today
Your next incident might be a dependency.
Add Depswright to your CI pipeline in under 10 minutes.