Dependency Supply-Chain Risk Audit 🛡️

Paste your package.json or requirements.txt and get a complete supply-chain risk report for every dependency — known vulnerabilities, deprecated and abandoned packages, stale releases, and licensing gaps — rolled up into one project-level risk verdict.

Most package scrapers hand you raw metadata for one package at a time. This audits your whole dependency list at once and tells you what actually matters: is my project safe to ship?

What it checks per dependency

• 🚨 Known vulnerabilities — cross-referenced against the OSV database (CVEs and security advisories across npm and PyPI)
• ⚰️ Deprecated / yanked packages — flagged as hard risks
• 🕒 Staleness — packages with no release in 1, 2, or 3+ years
• 📜 Licensing — missing or unclear licenses
• 🔗 Source repo — the linked GitHub/source URL for deeper review

Each dependency gets a 0-100 risk score and a level (Minimal → Low → Medium → High → Critical), with concrete flags explaining why.

Project-level summary

The first result is an aggregate verdict for the whole project:

{
  "recordType": "project_summary",
  "projectRiskLevel": "Critical",
  "totalDependencies": 42,
  "vulnerableDependencies": 3,
  "deprecatedDependencies": 2,
  "staleDependencies": 5,
  "riskBreakdown": { "Critical": 1, "High": 2, "Medium": 4, "Low": 6, "Minimal": 29 },
  "summary": "42 dependencies analyzed: 3 with known vulnerabilities, 2 deprecated, 5 stale. Overall risk: Critical."
}

Use cases

• Pre-deployment security gate — audit dependencies before every release
• Tech due diligence — assess a codebase's supply-chain exposure
• Continuous monitoring — schedule it to re-audit and catch newly-disclosed CVEs or freshly-deprecated packages
• Dependency cleanup — find the abandoned and risky packages to replace

Input

Field	Description
Manifest contents	Paste a full package.json or requirements.txt.
Manifest type	Auto-detect, or force npm / PyPI.
Check vulnerabilities	Toggle the OSV vulnerability lookup.
Max dependencies	Cap how many to audit.

Output

One project_summary record, then one record per dependency with its risk score, level, vulnerability count, flags, version, release date, license, and repo link. Export to JSON, CSV, or Excel, or pull via the Apify API — wire it into CI, Slack, or Sheets for automated alerts.

Notes on the vulnerability data

Vulnerability checks use the free, public OSV.dev API maintained by Google's open-source security team, covering npm and PyPI advisories. If the vulnerability service is briefly unavailable, the audit still completes using health signals and clearly marks which packages were scored without vulnerability data — the run never fails because of it.

The risk score is a transparent heuristic to help you prioritize review, not a security guarantee. Always combine it with your own judgment for critical systems. Independent tool; not affiliated with npm, PyPI, GitHub, or OSV.