OSS IQ - Open Source Dependency Intelligence

Quantify
Maintenance Health.
Control Your Dependencies Drift.

OSS IQ analyzes dependency drift in your project — then plans and applies the upgrades. CLI, HTML reports, and a solver that tells you exactly what to update and why.

Point it at any JavaScript or Python project. See what's behind, what's vulnerable, and what to update — then let it make the changes. Move from reactive CVE-chasing to a planned upgrade workflow.

Free and Open Source

The Challenge

Two problems that stop senior engineers cold.

You have 50 dependencies. Or 150. Or 300. You know some of them are liabilities — but you can't touch them without knowing what breaks. And now your AI agent is adding more of them without asking.

The Blast Radius Problem

You know this dep is a liability. But what breaks if you upgrade it? Transitive constraints two levels deep turn a one-line bump into a 3-day incident. The 'quick update' that takes a week. The urgent CVE that takes two weeks to resolve because a transitive dep has pinned the vulnerable version.

checkWe simulate transitive impact and give you a deterministic upgrade plan

Agents Don't Verify. You Carry the Risk.

Your AI coding agent installs whatever package name makes sense to it — hallucinated, 9 hours old, or quietly abandoned. No freshness gate. No health check. No blast radius analysis. It runs npm install and moves on. The liability lands on you.

checkWe surface age, cooldown status, and maintenance health for any package in seconds

Hidden Transitive Risk

A CVE three levels deep is still your CVE. A pinned transitive dep is still what blocks your 2-week emergency patch. Your direct dependencies look fine — it's what's underneath that bites you. Without the full graph, you're missing most of the problem.

checkWe map your full transitive dependency graph

Positioning

Not Another Audit Tool.

The ecosystem already has point solutions. OSS IQ takes a different angle — the move-forward axis: what will it cost to stay current, what breaks if you upgrade, and can you trust what your agent just installed.

npm audit
What it does

Finds known security vulnerabilities (CVEs) in your direct and transitive dependencies.

What it misses

Version lag, maintenance signals, abandoned packages, license risk, or whether a package is worth depending on at all.

Dependabot
What it does

Opens automated pull requests for every available package update, keeping versions current.

What it misses

Priority. It spams you with PRs for trivial patch bumps while a package you rely on quietly goes unmaintained.

AI Coding Agents
What it does

Install packages on demand as part of agentic coding workflows.

What it misses

Everything. No freshness gate, no health check, no blast-radius analysis. A hallucinated name or a 9-hour-old publish gets installed as confidently as a stable release.

OSS IQ
What it does

Maps the blast radius of any upgrade before you commit. Checks package age, CVE, and maintenance health. Plans a deterministic, MaxSAT-solver-backed upgrade path — and applies it.

Why it's different

"It tells you what breaks before you touch anything — and whether you should trust a package in the first place."

Quick Start

Zero procurement. Instant answers.

Point OSS IQ at any JavaScript or Python project. See the blast radius before you commit to anything.

Project — blast radius & upgrade plan

terminal

# See what's behind, what has CVEs, what to update

uvx --from ossiq ossiq-cli status

# Solver-backed upgrade plan with full transitive-impact analysis

uvx --from ossiq ossiq-cli plan --cooldown-period=7

# Apply — rewrites your manifest and runs your package manager

uvx --from ossiq ossiq-cli apply

# Shareable HTML report with interactive dependency graph

uvx --from ossiq ossiq-cli html --output report.html

Package — safety check before your agent installs

terminal

# Inspect a package — drift, CVEs, health — before touching anything

uvx --from ossiq ossiq-cli info <package-name>

# Health-checked install — shows signals, then adds the recommended version

uvx --from ossiq ossiq-cli add <package-name>

# Age, CVE list, maintenance health, cooldown status — in seconds

✓ Published 847 days ago  ·  No CVEs  ·  Actively maintained

⚠ some-other-package@1.0.2: 4 hours old — fails 7-day cooldown

No install required

uvx runs OSS IQ directly from PyPI — no global install needed.

Set a GitHub token for full results

GitHub limits unauthenticated requests to 60/hour. Export a token: export OSSIQ_GITHUB_TOKEN=$(gh auth token)

Auto-detects your ecosystem

OSS IQ finds package.json, uv.lock, pyproject.toml, and more automatically.

Plan and apply upgrades

plan shows solver-recommended versions and transitive impact before touching anything. apply rewrites your manifest and runs your package manager.

From CLI to Your CI Pipeline.

Plug OSS IQ into your CI workflow — or into your agent's pre-install decision loop. Export to JSON and fail the build when lag exceeds your threshold. Ship with confidence, not just hope.

# Fail if any production package is more than 365 days behind
uvx --from ossiq ossiq-cli export --output-format=json --output=report.json .
jq '[.production_packages[] | select(.time_lag_days > 365)] | length' report.json
Programmatic Access

Use the MSR Engine Directly.

OSS IQ exposes its full Mining Software Repository analysis as a stable Python library. Import scan(), get structured results, and build your own tooling on top of the same engine the CLI uses.

python

# Install as a library — no CLI overhead

pip install ossiq

from ossiq import scan, Settings

from ossiq.unit_of_work.uow_project import ProjectUnitOfWork

settings = Settings.load_from_env()

uow = ProjectUnitOfWork(settings, project_path=".")

with uow:

    result = scan(uow)

# Rich structured output — same data the CLI renders

for pkg in result.production_packages:

    if pkg.cve or (pkg.time_lag_days or 0) > 365:

        print(pkg.package_name, pkg.time_lag_days)

Structured ScanResult

Production, development, and transitive packages in one call. Each is a ScanRecord with version lag, CVE list, drift classification, constraint provenance, and PURL.

Same engine, no capability gap

The library and the CLI share the same MSR analysis core — the solver, cooldown, CVE data, and transitive graph are all available programmatically.

Stable, versioned interface

The public API follows the same stability guarantees as the export schema — fields are never removed within a version, and breaking changes are announced in the changelog before removal.

API Reference
Process

From Zero to Health Score in Seconds.

01

Run OSS IQ

Run OSS IQ pointing to your project manifest file. We support npm and Python (uv, pip and pip classic).

02

OSS IQ Analysis

Version lag, CVEs, transitive dependencies, and license compliance—all cross-referenced against public databases (OSV, npm, PyPI, Github) using MSR Engine in seconds.

03

Get Your OSS IQ Report

See your dependencies drift report, drill into each package, and get a solver-recommended upgrade plan with transitive-impact analysis.

04

Plan and Apply Updates

Run plan to review what OSS IQ recommends and why. Run apply to let it rewrite your manifest and update your lock file.

Knowledge Base

FAQ

Why another Software Composition Analysis tool?

OSS IQ is not a vulnerability scanner — it's the upgrade-feasibility engine that's missing from the ecosystem. It tells you what breaks if you upgrade before you touch anything, enforces a freshness policy on packages your AI agent suggests installing, and gives you a deterministic, solver-backed plan rather than a wall of PRs. The defensible edge is the move-forward axis: what will it cost to stay current, what breaks, and can I trust this enough to let an agent do it.

How is OSS IQ different from npm audit or pip-audit?

Audit tools are great at finding known vulnerabilities. OSS IQ goes further by also analyzing non-security risks, such as how far behind you are from the latest version (technical debt) and whether a package is still actively maintained. We give you the full picture of dependency health, not just one part of it.

How is OSS IQ different from npm update or uv lock --upgrade?

Those commands are execution tools — they upgrade everything to the latest version that fits your semver constraints, but they don’t tell you what to upgrade, why, or in what order. OSS IQ is an analysis tool. It scores your dependencies by version lag, maintenance signals, and transitive risk, then gives you a prioritized upgrade plan. It also surfaces packages that are abandoned or unmaintained, which no amount of upgrading will fix. Think of OSS IQ as the step you run before npm update or uv lock --upgrade — so you know exactly what you’re doing and why.

What ecosystems are supported?

OSS IQ currently supports popular ecosystems like npm for JavaScript and multiple dependency managers for Python (uv and classic pip). We are always working to add support for more ecosystems.

Is it free?

Yes. OSS IQ is a free and open-source tool licensed under AGPLv3. Designed for both personal and commercial use.