Your dependencies
deserve a health check

Scan. Score. Decide. One platform to audit every package you use.

Explore the dashboard Get started free

deptools.io/dashboard/deptools-io/Demo

License · Copyleft risk

2 strong · 6 weak

Active CVEs

3 Critical

Maintenance · Abandoned

1 direct

Transitive deps

94%

Direct up-to-date

60%

SBOM Export

SPDX · CycloneDX

Connect with

GitHub

Languages

Java

Kotlin

Build systems

Gradle

Maven

Package registries

Maven Central

Android

On the roadmap

npm

PyPI

The Hidden Risk

Your biggest blind spot

~90% is deps

of your attack surface is code you don't control

84% ship vulnerable

of teams ship known vulnerabilities to production

91% outdated

of codebases carry critical update debt

67 days to patch

average exposure window after a CVE is published

53% license risk

of codebases carry undetected license violations

42% time wasted

of engineering time is spent on dependency maintenance, not features

The Solution

From risk to remediation

Map your entire dependency surface: direct and transitive
Deptools generates a full, interactive dependency graph with direct and transitive. Instantly spot high-risk nodes and hidden exposure across your entire stack.
Detect and remediate vulnerabilities at scale
Every dependency is checked against the latest security advisories. You get the severity, the scope across transitives, and clear remediation guidance not just a list.
Eliminate update drift before it becomes a crisis
Track how outdated your dependencies are, detect version conflicts, and understand the real maintenance burden so your team focuses on features, not drift.
Automated license compliance before legal flags it
Every license is categorized and checked for compatibility. Copyleft and commercial risks are flagged automatically and your SBOM is one click away.

Full-stack dependency intelligence

Eight specialized analyzers. One unified dashboard.

01 / 08 Security

Patch what matters, ignore the noise

Every dependency continuously checked against the latest security advisories with severity, exposed scope and clear remediation paths.

CVE-2026-40976

CRITICAL

Published: Apr 28, 2026 CWE-862

CVE-2026-35554

HIGH

Published: Apr 7, 2026 CWE-362

CVE-2025-68161

MODERATE

Published: Dec 18, 2025 CWE-297

CVE-2026-22735

LOW

Published: Mar 20, 2026 CWE-667

log4j-core

org.apache.logging.log4j

v2.24.3 · 4 CVEs

/10

Critical Risk

Patch Available

v2.24.3v2.25.4· latest: v2.26.0

4 / 4 CVEs fixed

MIT

Permissive

packages

Apache-2.0

Permissive

packages

LGPL-2.1

Weak copyleft

packages

GPL-3.0

Strong copyleft

packages

Compliance Exposure8

2 strong copyleft·6 weak copyleft

Strong Copyleft2· 1 direct, 1 transitiveAssess alternatives

Weak Copyleft6· 2 direct, 4 transitiveReview usage terms

Upgrade path

Current

v3.8.0

Patch

v3.8.1

Minor

v3.9.2

Major

v4.2.0

Dependency load

Direct

Transitive

Total

okhttp

com.squareup.okhttp3

v5.3.2

8.9

/10

Widely Adopted

square/okhttp

⭐ Stars46.9K

👁 Watchers1.6K

LibraryTrending · +18%/yr

Total Dependents

182K

Active 1 Year

34.1K

Release (v5.3.2)8% · Stable

Total Dependents

Active 1 Year

916

activation

javax.activation

v1.1.1

0.6

/10

Inactive

Package Activity

Last Release23/10/2009

Days Since Release6053d

Versions / 12mo0

Release Frequency481d

Development Activity

javaee/activation

Last Commit07/09/2018

Days Since2813d

Commits / yr0

Community Metrics

Contributors 319

Forks

1.5K

Issues

3.8K

Pull Requests

1.8K

Attention Required

Isolated Community · Direct Deps1Consider alternatives

Bus Factor Risk · Direct Deps1Mitigate risk

CSV Audit Report.csv

Configurable dependency audit

DirectTransitive

SBOM.json

Software Bill of Materials

CycloneDX 1.5SPDX 2.3

Graph Export.dot · .json

Full dependency graph

GraphvizJSON

Quality Badges.svg

Embeddable health indicators

READMECI

Get a complete, interactive map of your dependency graph

Drill into any node from root to deepest transitive

Pinpoint high-risk nodes and structural vulnerabilities

CI/CD Integration

Gate your deploy on dependency health

Trigger scans on every push using the GitHub Actions or a simple HTTP call from any CI system. Automatically block builds when dependency health drops below your thresholds.

Quality gates

CVE severity threshold Min. health score No strong copyleft licenses Min. direct up-to-date %

Works with

Actions

CircleCI

Jenkins

+ any curl

deptools.yml

# .github/workflows/deptools.yml
name: Dependency scan
on:
  push:
    branches: [main]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: deptools-io/scan-action@v1
        with:
          project-id: ${{ vars.DEPTOOLS_PROJECT_ID }}
          api-key: ${{ secrets.DEPTOOLS_API_KEY }}
          wait-for-result: true         # block until completed (default: false)
          fail-on-cvss: HIGH      # optional: CRITICAL | HIGH | MODERATE | LOW
          min-score: 7                  # optional: fail if score below this value (0–10)
          fail-on-strong-copyleft: true # optional: fail if strong copyleft license detected
          min-up-to-date: 80             # optional: fail if direct deps up-to-date % below this (0–100)

Pricing

Start free. Scale as you grow. No hidden fees.

14 day free trial on all paid plans

Free

Get started with dependency analysis on public repositories.

forever free

Get Started Free

All features
Up to 10 public projects
3-hour scan cooldown per project

Deptools started as
a research question.

How can we measure and assess the health of software dependency graphs?

Four years later, that question became a product.

Learn more about us

Frequently asked questions

Get clarity before you commit.

Deptools connects to your GitHub repositories and scans your manifest files (pom.xml, build.gradle, etc.) to build a complete dependency graph enriched with security metrics, version data, and ecosystem intelligence. Connect your account, click Scan, and get actionable results in minutes.

No. Deptools only reads your dependency manifest files (e.g. pom.xml, build.gradle) via the GitHub API. Your actual source code is never transmitted or stored on our servers. All analysis is performed on metadata and publicly available package information.

CVE data is refreshed continuously from the National Vulnerability Database (NVD) and multiple security advisory feeds. Ecosystem signals, such as new releases, dependent counts or GitHub stars are refreshed weekly.

Deptools currently supports Maven Central and Google's Maven Repository, covering Java, Kotlin, and Android projects. Analysis requires manifest files (pom.xml, build.gradle, etc.). Support for npm (Node.js / JavaScript / TypeScript) and PyPI (Python) is on the roadmap. Check the Integrations section for the latest status.

Yes. Reach us at support@deptools.io. Response time is prioritized based on your plan. Pro users receive faster, dedicated support.

Each repository you scan becomes a project in Deptools. For multi-module repositories, you can create one project per module. Free plan: up to 10 public projects, with one scan per project every 3 hours. Open Source Max: no limits on public projects or scan frequency. Pro: adds support for private repositories.

Stop guessing, start scoring

Audit your stack free

✓ Connected in minutes✓ Full-featured trial✓ No credit card required

Your dependencies deserve a health check

Your biggest blind spot

From risk to remediation

Full-stack dependency intelligence

Patch what matters, ignore the noise

Gate your deploy on dependency health

Pricing

Deptools started asa research question.

Frequently asked questions

Stop guessing, start scoring

Your dependencies
deserve a health check

Deptools started as
a research question.