Quantify
Maintenance Health.
Control Your Drift.
OSS IQ analyzes dependency drift at scale. Open-source intelligence for platform teams. CLI and HTML reports.
Track version lag and transitive risk directly from your dependency files. Move from reactive CVE-chasing to a planned, predictable maintenance rhythm.
The Challenge
Security Vulnerabilities aren't your only risk.
You have 50 dependencies. Or 150. Or 300 across your projects. How far behind are you? Which ones are abandoned? How many has pinned transitive dependency?
Running npm audit tells you there are vulnerabilities. It doesn't tell you which ones actually matter or how to prioritize them.
checkWe surface CVEs by severity and packages by drift status
Your React version is 2 years old. Your Express is 3 majors behind. The 'Quick Update' that takes 3 days. Urgent CVE vulnerability takes 2 weeks to resolve b/c transitive dependency has pinned vulnerable version.
checkWe track your lag in real-time
Your direct dependencies look fine. But what about their dependencies? A CVE three levels deep is still your problem. Without transitive visibility, you're missing most of the attack surface.
checkWe map your full dependency graph
Positioning
Not Another Audit Tool.
The ecosystem already has point solutions. OSS IQ takes a different angle — analyzing the health and longevity of your supply chain, not just its known bugs.
npm audit
Finds known security vulnerabilities (CVEs) in your direct and transitive dependencies.
Version lag, maintenance signals, abandoned packages, license risk, or whether a package is worth depending on at all.
Opens automated pull requests for every available package update, keeping versions current.
Priority. It spams you with PRs for trivial patch bumps while a package you rely on quietly goes unmaintained.
Analyzes the health and longevity of your entire supply chain — CVEs, version lag, maintenance status, transitive risk, and license compliance.
"It tells you if you should use a package, not just if it's broken."
One Command. Any Project.
Point OSS IQ at any JavaScript or Python project directory and get a full dependency health report in seconds.
# JavaScript / npm or Python / uv / pip<
uvx --from ossiq ossiq-cli scan .
# HTML report
uvx --from ossiq ossiq-cli scan --presentation=html --output report.html .
No install required
uvx runs OSS IQ directly from PyPI — no global install needed.
Set a GitHub token for full results
GitHub limits unauthenticated requests to 60/hour. Export a token for complete scans: export OSSIQ_GITHUB_TOKEN=$(gh auth token)
Auto-detects your ecosystem
OSS IQ finds package.json, uv.lock, pyproject.toml, and more automatically.
From CLI to Quality Gate.
Plug OSS IQ into any CI pipeline. Export to JSON and fail builds when lag exceeds your threshold. Ship with confidence, not just hope.
uvx --from ossiq ossiq-cli export --output-format=json --output=report.json .
jq '[.production_packages[] | select(.time_lag_days > 365)] | length' report.json
From Zero to Health Score in Seconds.
Run OSS IQ
Run OSS IQ pointing to your project manifest file. We support npm and Python (uv, pip and pip classic).
OSS IQ Analysis
Version lag, CVEs, transitive dependencies, and license compliance—all cross-referenced against public databases (OSV, npm, PyPI, ClearlyDefined) using MSR Engine in seconds.
Get Your OSS IQ Report
See your dependencies drift report, drill into each package details, and get a prioritized list of what to fix first.
Build Your Quality Gates
Use your project metrics to set up policies and drive organization behavior.
Knowledge Base
FAQ
Why another Software Composition Analysis tool?
OSS IQ is not another vulnerability scanner. It helps platform teams evaluate open-source dependencies as long-term engineering assets by analyzing lockfiles, dependency graphs, and maintenance signals, producing stable scores suitable for CI and platform governance.
How is OSS IQ different from npm audit or pip-audit?
Audit tools are great at finding known vulnerabilities. OSS IQ goes further by also analyzing non-security risks, such as how far behind you are from the latest version (technical debt) and whether a package is still actively maintained. We give you the full picture of dependency health, not just one part of it.
What ecosystems are supported?
OSS IQ currently supports popular ecosystems like npm for JavaScript and multiple dependency managers for Python (uv and classic pip). We are always working to add support for more ecosystems.
Is it free?
Yes. OSS IQ is a free and open-source tool licensed under AGPLv3. Designed for both personal and commercial use.