Our story

Built by engineers who got tired of dependency fires

Depswright exists because the tooling to catch these issues existed — but only if someone was actively watching.

Modern software engineering workspace in New York

Our story

Marcus Chen founded Depswright in 2024 after watching a prior engineering team spend two days debugging a production incident that traced back to a transitive dependency conflict nobody had flagged.

The root cause: a dependency three levels deep had silently resolved to an incompatible minor version. The lockfile showed the pin. Nobody had checked the lockfile. The CI pipeline didn't check either.

The tooling existed to catch it — but only if someone was watching. Depswright is that watcher. It reads the full dependency graph the way a staff engineer would on a careful PR review: following the chain, checking the licenses, evaluating the maintainers, and surfacing anything worth a second look.

We're a small team in New York. We eat our own cooking — every Depswright repo scans itself on every push.

Marcus Chen, founder of Depswright

The team

Who built this

Marcus Chen

Marcus Chen

CEO & Co-Founder

Staff engineer background. Spent years maintaining internal tooling at fintech companies before deciding the dependency problem deserved a dedicated product.

Depswright team member — Engineering

N. Williams

Infrastructure & Graph Engine

Former infrastructure engineer. Wrote the core transitive resolution engine and the multi-ecosystem lockfile parser.

Depswright team member — Product

A. Kim

Platform & Integrations

Built the GitHub, GitLab, and Bitbucket integration layers. Keeps the CI pipeline hooks working reliably across every combination of workflow configuration.

How we think about this problem

What drives the decisions we make

Depth over breadth

One ecosystem done right is worth more than nine done poorly. We'd rather resolve the full transitive graph for npm than skim the top level across every ecosystem.

Actionable signals only

Alert fatigue kills adoption. We'd rather you get five alerts you act on than fifty alerts you tune out. Every check is designed to produce a concrete, fixable recommendation.

Config as code

Your dependency policy should live in the repo, be reviewed in PRs, and have a history. Not hidden in a SaaS settings panel nobody remembers to update.

Minimal access

We only read manifest files. Not source code. Not secrets. Not environment variables. If we can't do the analysis from the lockfile, we don't need that data.

Want to talk about dependency tooling?

We're an opinionated but friendly team. [email protected].

Get in Touch Start Free Trial