What is a dependency health score?

It's a single, easy-to-understand metric that aggregates dozens of signals—like security vulnerabilities (CVEs), package maintenance status, and version lag—into one number. It gives you an instant, holistic view of your project's dependency risk.

Yes, OSS IQ is a completely free and open-source tool, licensed under the MIT license. You can use it for any personal or commercial project.

Know Your Dependency Risk in Minutes, Not Weeks

Q: What ecosystems does OSS IQ support?

OSS IQ currently supports popular ecosystems like npm (including Yarn and pnpm) for JavaScript and multiple dependency managers for Python (like uv, Poetry, and classic pip). We are always working to add support for more ecosystems.

Understand your dependency drift at scale. No ad-hoc audits. No spreadsheets. No dependabot-style urgency. Track version lag and transitive risk directly from your dependency files.

play_circle Watch Demo

check_circle Free and Open Source

Screenshot of the OSS IQ HTML report showing dependency health scores, version lag, and security vulnerabilities.

Stop Flying Blind with Your Dependencies

You have 23 dependencies. Or 230. Or 2,300 across your org. How many have critical vulnerabilities? How far behind are you? Which ones are abandoned?

warning

Security Blind Spots

Running npm audit tells you there are vulnerabilities. It doesn't tell you which ones actually matter or how to prioritize them.

check_circle We show you what to fix first

schedule

Silent Tech Debt

Your React version is 2 years old. Your Express is 3 majors behind. You won't know until you try to upgrade and it takes 2 weeks instead of 2 hours.

check_circle We track your lag in real-time

visibility_off

No Org-Wide View

You have 50 repos. Which ones are vulnerable? Which teams need help? Without centralized visibility, you're always reactive, never proactive.

check_circle We give you the dashboard

From Zero to Health Score in Few Minutes

Run OSS IQ

Run OSS-IQ pointing to your project manifest file. We support npm (yarn, pnpm) and Python (uv, poetry, classic)

OSS IQ Analyze Everything

Version lag, CVEs, transitive deps, maintainer activity—all cross-referenced against public databases in real-time.

Get Your OSS IQ Report

See your health score, drill into sub-scores, and get a prioritized list of what to fix first.

Build your Quality Gates

Use your project metrics to set up policies and drive organization behavior

Try It Now arrow_forward

Frequently Asked Questions

Why another Software Composition Analysis tool?

OSS IQ is not another vulnerability scanner. It helps platform teams evaluate open-source dependencies as long-term engineering assets by analyzing SBOMs, dependency graphs, and maintenance signals, producing stable scores suitable for CI and platform governance.

How OSS IQ is different from `npm audit` or `pip-audit`?

Audit tools are great at finding known vulnerabilities. OSS IQ goes further by also analyzing non-security risks, such as how far behind you are from the latest version (technical debt) and whether a package is still actively maintained. We give you the full picture of dependency health, not just one part of it.

What ecosystems does OSS IQ support?

OSS IQ currently supports popular ecosystems like npm for JavaScript and multiple dependency managers for Python (uv, Poetry, and classic pip). We are always working to add support for more ecosystems.

Is OSS IQ free?

Yes, OSS IQ is a completely free and open-source tool, licensed under the AGPLv3 license. You can use it for any personal or commercial project.