Your dependencies
deserve a health check

Scan. Score. Decide. One platform to audit every package you use.

Explore the dashboard Get started free

deptools.io/dashboard/deptools-io/Demo

License · Copyleft risk

2 strong · 6 weak

Active CVEs

3 Critical

Maintenance · Abandoned

1 direct

Transitive deps

94%

Direct up-to-date

60%

SBOM Export

SPDX · CycloneDX

Connect with

GitHub

Languages

Java

Kotlin

Build systems

Gradle

Maven

Package registries

Maven Central

Android

On the roadmap

npm

PyPI

The Hidden Risk

Your biggest blind spot

~90% is deps

of your attack surface is code you don't control

84% ship vulnerable

of teams ship known vulnerabilities to production

91% outdated

of codebases carry critical update debt

67 days to patch

average exposure window after a CVE is published

53% license risk

of codebases carry undetected license violations

42% time wasted

of engineering time is spent on dependency maintenance, not features

The Solution

From risk to remediation

Map your entire dependency surface: direct and transitive
Deptools generates a full, interactive dependency graph with direct and transitive. Instantly spot high-risk nodes and hidden exposure across your entire stack.
Detect and remediate vulnerabilities at scale
Every dependency is checked against the latest security advisories. You get the severity, the scope across transitives, and clear remediation guidance not just a list.
Eliminate update drift before it becomes a crisis
Track how outdated your dependencies are, detect version conflicts, and understand the real maintenance burden so your team focuses on features, not drift.
Automated license compliance before legal flags it
Every license is categorized and checked for compatibility. Copyleft and commercial risks are flagged automatically and your SBOM is one click away.

Full-stack dependency intelligence

Eight specialized analyzers. One unified dashboard.

Security

Surface CVEs across direct and transitive dependencies instantly
Get actionable remediation paths not just alerts
Quantify your full attack surface, including hidden transitive risk
Stay ahead of new advisories with continuous monitoring

CRITICALCVE-2021-44228

HIGHCVE-2021-44832

MODERATECVE-2021-45105

Patch Available

v1.5.8→v2.2.6· latest: v4.0.4

2 / 2 CVEs fixed

License

Prevent legal exposure before shipping to production
Classify every license: permissive, or strong/weak copyleft
Flag incompatible license combinations automatically
Identify compliance risks and copyleft dependencies

MITPermissive

LGPL-2.1Weak copyleft

GPL-3.0Strong copyleft

UNKNOWNUnknown

Maintainability

Track staleness across your entire dependency tree, not just direct deps
Resolve version conflicts before they cause build failures
Quantify technical debt introduced by your dependency stack
Map transitive dependencies to understand real-world upgrade complexity

Upgrade Path

Currentv3.8.0

Latest patchv3.8.1

Latest minorv3.9.2

Latest majorv4.2.0latest available

Dependency Load

Direct

Transitive

Total

Popularity

Identify dependencies losing ecosystem traction before they become liabilities
Avoid niche, low-adoption libraries that carry outsized support risk
Detect version lag: popular library, but not the version the ecosystem uses

Adoption

Library Stable · +12%/yr (309.1K deps)

Used by

309.1K

Active 1 Year

37.2K

Release (v2.24.3) 80% · Trending (8.5K deps)

Used by

8.5K

Active 1 Year

6.8K

Activity

Flag stagnant dependencies with no recent commits or releases
Stay aligned with your dependencies' release cycles
Migrate proactively, before abandonment creates an incident

Activity Breakdown

My library

Direct7.7/10

Commits this year159 commits· 4 versions/yr

Last release 15/12/2025

Community

Assess community vitality, contributors, issues, PR velocity
Spot libraries that may be abandoned or under-maintained
Turn weak community signals into early risk warnings

Community Metrics

Contributors 319

Forks

1.5K

Issues

3.8K

Pull Requests

1.8K

Export

Export audit-ready reports for compliance and security reviews
Generate SBOMs in CycloneDX or SPDX built for regulatory requirements
Export your full dependency graph in DOT, JSON, or Graphviz
Embed live quality badges directly in your README

CSV Audit Report

Full dependency audit

SBOM

CycloneDX · SPDX

Graph Export

DOT · JSON · Graphviz

Quality Badges

Embed in your README

Explore

Get a complete, interactive map of your dependency graph
Drill into any node from root to deepest transitive dependency
Pinpoint high-risk nodes and structural vulnerabilities at a glance

CI/CD Integration

Gate your deploy on dependency health

Trigger scans on every push using the GitHub Actions or a simple HTTP call from any CI system. Automatically block builds when dependency health drops below your thresholds.

Quality gates

CVE severity threshold Min. health score No strong copyleft licenses Min. direct up-to-date %

Works with

Actions

CircleCI

Jenkins

+ any curl

deptools.yml

# .github/workflows/deptools.yml
name: Dependency scan
on:
  push:
    branches: [main]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: deptools-io/scan-action@v1
        with:
          project-id: ${{ vars.DEPTOOLS_PROJECT_ID }}
          api-key: ${{ secrets.DEPTOOLS_API_KEY }}
          wait-for-result: true         # block until completed (default: false)
          fail-on-cvss: HIGH      # optional: CRITICAL | HIGH | MODERATE | LOW
          min-score: 7                  # optional: fail if score below this value (0–10)
          fail-on-strong-copyleft: true # optional: fail if strong copyleft license detected
          min-up-to-date: 80             # optional: fail if direct deps up-to-date % below this (0–100)

Pricing

Start free. Scale as you grow. No hidden fees.

14 day free trial on all paid plans

Free

Get started with dependency analysis on public repositories.

forever free

Get Started Free

All features
Up to 10 public projects
3-hour scan cooldown per project

Deptools started as
a research question.

How can we measure and assess the health of software dependency graphs?

Four years later, that question became a product.

Learn more about us

Frequently asked questions

Get clarity before you commit.

Deptools connects to your GitHub repositories and scans your manifest files (pom.xml, build.gradle, etc.) to build a complete dependency graph enriched with security metrics, version data, and ecosystem intelligence. Connect your account, click Scan, and get actionable results in minutes.

No. Deptools only reads your dependency manifest files (e.g. pom.xml, build.gradle) via the GitHub API. Your actual source code is never transmitted or stored on our servers. All analysis is performed on metadata and publicly available package information.

CVE data is refreshed continuously from the National Vulnerability Database (NVD) and multiple security advisory feeds. Ecosystem signals, such as new releases, dependent counts or GitHub stars are refreshed weekly.

Deptools currently supports Maven Central and Google's Maven Repository, covering Java, Kotlin, and Android projects. Analysis requires manifest files (pom.xml, build.gradle, etc.). Support for npm (Node.js / JavaScript / TypeScript) and PyPI (Python) is on the roadmap. Check the Integrations section for the latest status.

Yes. Reach us at support@deptools.io. Response time is prioritized based on your plan. Pro users receive faster, dedicated support.

Each repository you scan becomes a project in Deptools. For multi-module repositories, you can create one project per module. Free plan: up to 10 public projects, with one scan per project every 3 hours. Open-Source Max: no limits on public projects or scan frequency. Pro: adds support for private repositories.

Stop guessing, start scoring

Audit your stack free

✓ Connected in minutes✓ Full-featured trial✓ No credit card required

Your dependencies deserve a health check