Understanding Transitive Dependency Risk: What Your package.json Doesn't Show You
Your direct dependencies are just the tip of the iceberg. Learn how nested transitive chains introduce risk that standard package audits miss entirely.
The Depswright Blog
The Depswright Blog
Transitive dep risk, license compliance, maintainer health, and the CI workflows that catch problems before production does.
License Drift: How Your Codebase Quietly Picks Up GPL
A dependency you've relied on for two years just switched from MIT to AGPL-3.0. Did your build pipeline notice? Ours did.
Building a Dependency Audit Workflow That Engineers Actually Use
Most audit tools generate reports nobody reads. Here's how to wire dependency checks into the PR flow so remediation happens while context is fresh.
The Abandoned Package Problem: Signals Before the Maintainer Goes Dark
Bus factor one, last commit 14 months ago, 47 open issues with no response. How to score maintainer health before a package becomes a liability.
Version Conflict Resolution at Scale: When Semver Lies to You
Peer dependency conflicts in monorepos with 200+ packages don't resolve themselves. A systematic approach to finding and unblocking the dependency graph.
Dependency Hygiene as an Engineering Culture Practice
The teams that rarely get surprised by dependency failures treat dep management the same way they treat code review — as a shared responsibility, not a monthly chore.