Quantify
Maintenance Health.
Control Your Dependencies Drift.
OSS IQ analyzes dependency drift in your project — then plans and applies the upgrades. CLI, HTML reports, and a solver that tells you exactly what to update and why.
Point it at any JavaScript or Python project. See what's behind, what's vulnerable, and what to update — then let it make the changes. Move from reactive CVE-chasing to a planned upgrade workflow.
The Challenge
Two problems that stop senior engineers cold.
You have 50 dependencies. Or 150. Or 300. You know some of them are liabilities — but you can't touch them without knowing what breaks. And now your AI agent is adding more of them without asking.
You know this dep is a liability. But what breaks if you upgrade it? Transitive constraints two levels deep turn a one-line bump into a 3-day incident. The 'quick update' that takes a week. The urgent CVE that takes two weeks to resolve because a transitive dep has pinned the vulnerable version.
checkWe simulate transitive impact and give you a deterministic upgrade plan
Your AI coding agent installs whatever package name makes sense to it — hallucinated, 9 hours old, or quietly abandoned. No freshness gate. No health check. No blast radius analysis. It runs npm install and moves on. The liability lands on you.
checkWe surface age, cooldown status, and maintenance health for any package in seconds
A CVE three levels deep is still your CVE. A pinned transitive dep is still what blocks your 2-week emergency patch. Your direct dependencies look fine — it's what's underneath that bites you. Without the full graph, you're missing most of the problem.
checkWe map your full transitive dependency graph
Positioning
Not Another Audit Tool.
The ecosystem already has point solutions. OSS IQ takes a different angle — the move-forward axis: what will it cost to stay current, what breaks if you upgrade, and can you trust what your agent just installed.
npm audit
Finds known security vulnerabilities (CVEs) in your direct and transitive dependencies.
Version lag, maintenance signals, abandoned packages, license risk, or whether a package is worth depending on at all.
Opens automated pull requests for every available package update, keeping versions current.
Priority. It spams you with PRs for trivial patch bumps while a package you rely on quietly goes unmaintained.
Install packages on demand as part of agentic coding workflows.
Everything. No freshness gate, no health check, no blast-radius analysis. A hallucinated name or a 9-hour-old publish gets installed as confidently as a stable release.
Maps the blast radius of any upgrade before you commit. Checks package age, CVE, and maintenance health. Plans a deterministic, MaxSAT-solver-backed upgrade path — and applies it.
"It tells you what breaks before you touch anything — and whether you should trust a package in the first place."
Zero procurement. Instant answers.
Point OSS IQ at any JavaScript or Python project. See the blast radius before you commit to anything.
Project — blast radius & upgrade plan
# See what's behind, what has CVEs, what to update
uvx --from ossiq ossiq-cli status
# Solver-backed upgrade plan with full transitive-impact analysis
uvx --from ossiq ossiq-cli plan --cooldown-period=7
# Apply — rewrites your manifest and runs your package manager
uvx --from ossiq ossiq-cli apply
# Shareable HTML report with interactive dependency graph
uvx --from ossiq ossiq-cli html --output report.html
Package — safety check before your agent installs
# Inspect a package — drift, CVEs, health — before touching anything
uvx --from ossiq ossiq-cli info <package-name>
# Health-checked install — shows signals, then adds the recommended version
uvx --from ossiq ossiq-cli add <package-name>
# Age, CVE list, maintenance health, cooldown status — in seconds
✓ Published 847 days ago · No CVEs · Actively maintained
⚠ some-other-package@1.0.2: 4 hours old — fails 7-day cooldown
No install required
uvx runs OSS IQ directly from PyPI — no global install needed.
Set a GitHub token for full results
GitHub limits unauthenticated requests to 60/hour. Export a token: export OSSIQ_GITHUB_TOKEN=$(gh auth token)
Auto-detects your ecosystem
OSS IQ finds package.json, uv.lock, pyproject.toml, and more automatically.
Plan and apply upgrades
plan shows solver-recommended versions and transitive impact before touching anything. apply rewrites your manifest and runs your package manager.
From CLI to Your CI Pipeline.
Plug OSS IQ into your CI workflow — or into your agent's pre-install decision loop. Export to JSON and fail the build when lag exceeds your threshold. Ship with confidence, not just hope.
uvx --from ossiq ossiq-cli export --output-format=json --output=report.json .
jq '[.production_packages[] | select(.time_lag_days > 365)] | length' report.json
Use the MSR Engine Directly.
OSS IQ exposes its full Mining Software Repository analysis as a stable Python library. Import scan(), get structured results, and build your own tooling on top of the same engine the CLI uses.
# Install as a library — no CLI overhead
pip install ossiq
from ossiq import scan, Settings
from ossiq.unit_of_work.uow_project import ProjectUnitOfWork
settings = Settings.load_from_env()
uow = ProjectUnitOfWork(settings, project_path=".")
with uow:
result = scan(uow)
# Rich structured output — same data the CLI renders
for pkg in result.production_packages:
if pkg.cve or (pkg.time_lag_days or 0) > 365:
print(pkg.package_name, pkg.time_lag_days)
Structured ScanResult
Production, development, and transitive packages in one call. Each is a ScanRecord with version lag, CVE list, drift classification, constraint provenance, and PURL.
Same engine, no capability gap
The library and the CLI share the same MSR analysis core — the solver, cooldown, CVE data, and transitive graph are all available programmatically.
Stable, versioned interface
The public API follows the same stability guarantees as the export schema — fields are never removed within a version, and breaking changes are announced in the changelog before removal.
From Zero to Health Score in Seconds.
Run OSS IQ
Run OSS IQ pointing to your project manifest file. We support npm and Python (uv, pip and pip classic).
OSS IQ Analysis
Version lag, CVEs, transitive dependencies, and license compliance—all cross-referenced against public databases (OSV, npm, PyPI, Github) using MSR Engine in seconds.
Get Your OSS IQ Report
See your dependencies drift report, drill into each package, and get a solver-recommended upgrade plan with transitive-impact analysis.
Plan and Apply Updates
Run plan to review what OSS IQ recommends and why. Run apply to let it rewrite your manifest and update your lock file.
Knowledge Base
FAQ
Why another Software Composition Analysis tool?
OSS IQ is not a vulnerability scanner — it's the upgrade-feasibility engine that's missing from the ecosystem. It tells you what breaks if you upgrade before you touch anything, enforces a freshness policy on packages your AI agent suggests installing, and gives you a deterministic, solver-backed plan rather than a wall of PRs. The defensible edge is the move-forward axis: what will it cost to stay current, what breaks, and can I trust this enough to let an agent do it.
How is OSS IQ different from npm audit or pip-audit?
Audit tools are great at finding known vulnerabilities. OSS IQ goes further by also analyzing non-security risks, such as how far behind you are from the latest version (technical debt) and whether a package is still actively maintained. We give you the full picture of dependency health, not just one part of it.
How is OSS IQ different from npm update or uv lock --upgrade?
Those commands are execution tools — they upgrade everything to the latest version that fits your semver constraints, but they don’t tell you what to upgrade, why, or in what order. OSS IQ is an analysis tool. It scores your dependencies by version lag, maintenance signals, and transitive risk, then gives you a prioritized upgrade plan. It also surfaces packages that are abandoned or unmaintained, which no amount of upgrading will fix. Think of OSS IQ as the step you run before npm update or uv lock --upgrade — so you know exactly what you’re doing and why.
What ecosystems are supported?
OSS IQ currently supports popular ecosystems like npm for JavaScript and multiple dependency managers for Python (uv and classic pip). We are always working to add support for more ecosystems.
Is it free?
Yes. OSS IQ is a free and open-source tool licensed under AGPLv3. Designed for both personal and commercial use.