Detect Abandoned & Vulnerable Dependencies Instantly

Deadware refers to software dependencies that are no longer maintained: no updates, no security patches, no bug fixes. If you depend on deadware, you're exposed to unpatched vulnerabilities, compatibility issues, and potential supply chain attacks. Studies show that over 20% of npm packages haven't been updated in 2+ years.

Each package is scored from 0 (healthy) to 100 (critical risk) based on up to 7 weighted factors: release freshness (35%), bus factor/maintainer count (25%), repository archived status (20%), open issue backlog (10%), license type (10%), known CVE vulnerabilities (30%), and deprecation status (25%). The overall score is a weighted average of all available factors.

No. All analysis runs 100% in your browser. We only make read-only requests to public registries (npm, PyPI) and the OSV vulnerability database. Your dependency files, source code, and tokens never leave your machine. This makes Deadware Risk Scanner the most privacy-friendly dependency scanner available.

We support 5 ecosystems: npm (package.json, package-lock.json), PyPI (requirements.txt, Pipfile), RubyGems (Gemfile), Go Modules (go.mod), and Cargo/Rust (Cargo.toml). You can paste content, upload files, scan any public GitHub repo by URL, or connect your GitHub account to scan private repos.

We query the OSV.dev database (maintained by Google) for each package and version in your dependency file. OSV aggregates vulnerability data from GitHub Security Advisories, npm advisories, PyPI advisories, RustSec, and other sources. Each vulnerability is rated by severity (Critical, High, Moderate, Low) based on its CVSS score.

Most security tools focus only on known CVEs. Deadware Risk Scanner goes further by detecting abandoned and unmaintained packages BEFORE they become a security risk. We analyze bus factor, release frequency, repository status, and deprecation, risks that CVE-only tools miss entirely. Plus, we're 100% client-side and free to use, with no signup required.

A GitHub token is optional but recommended. Without it, you get registry data and CVE scanning. With a token (public_repo scope), you also get repository archived status, open issue counts, security policy detection, and the ability to scan your private repositories, making the risk assessment significantly more accurate.

We maintain a curated database of 50+ known abandoned or deprecated packages with actively-maintained alternatives. For example, if you use "moment" for dates, we suggest "date-fns", "dayjs", or "luxon". If you use "request" for HTTP, we suggest "undici", "node-fetch", or "axios". Each suggestion includes a link and reason.

Yes! Export your scan results as JSON and integrate them into your CI pipeline. You can also embed a shields.io health badge in your README using the CI Badge feature (Pro plan). We also provide CSV export for spreadsheet analysis. Full CI/CD GitHub Actions integration is on our roadmap.

Yes! The entire codebase is open source and available on GitHub. You can inspect every line of code, contribute improvements, or self-host it. We believe security tools should be transparent and community-driven.