DepsDiver is a tool that provides deep repository and dependency intelligence on open source software packages, enabling teams to make confident decisions before risky code ships. It is designed for security teams, engineering teams, compliance groups, and procurement groups who need to evaluate new dependencies to reduce FOCI exposure. Its main purpose is to reveal dependency risk in seconds by identifying adversarial foreign influence, maintainer control, and governance risk across the open source projects an organization depends on.
Blind reliance on unvetted dependencies is a foundational risk in software development. Organizations often introduce open source packages into critical systems without fully understanding the project evolution, commit history, or shifts in contributor influence. This lack of visibility creates significant security vulnerabilities, particularly from adversarial foreign influence. Hunted Labs provides the visibility needed to identify this influence and deploy secure alternatives, addressing the critical problem of unseen dependency risk before it impacts production systems.
DepsDiver analyzes project evolution, commit history, and shifts in contributor influence before dependencies are introduced into critical systems. It allows users to vet before adoption, examining the detailed background of open source projects to understand their development trajectory and potential risks. This proactive analysis helps teams avoid introducing compromised or poorly maintained packages into their software supply chain.
The tool surfaces inherent risk by revealing maintainer activity, project behavior, and signals of foreign influence. It provides actionable insight before dependencies are adopted, reused, or deployed at scale, helping organizations eliminate risk at every step of the development process. By highlighting detection of foreign influence, contributor data, commit history, repository history, OpenSSF Scorecard, licensing, and release details, it gives comprehensive visibility into package security.
DepsDiver offers multiple access methods including a web interface, CLI tool, and IDE extensions. Users can start with a dependency by entering a package, repository, contributor, or email domain directly in the browser or from an IDE. The Diver CLI provides command-line access to scan, analyze, and manage projects instantly from the terminal, while the DepsDiver Assist VSIX extension enhances coding workflow in VS Code and other supported editors like Cursor and Windsurf.
admin
The product works through a four-step process: starting with a dependency entry, surfacing inherent risk signals, enabling action before adoption, and tracking risk directly in the IDE. This methodology allows teams to use insights to assess and mitigate inherent risk before dependencies reach production. The optional DepsDiver Assist IDE extension surfaces foreign influence in packages directly during development, integrating risk assessment into the developer's natural workflow.
Benefits include the ability to make confident decisions about open source dependencies, reduce FOCI (Foreign Ownership, Control or Influence) exposure, and gain lifecycle-wide visibility into software risk from dependency selection to production monitoring. Teams can identify secure alternatives to risky packages and maintain oversight of their entire dependency landscape. The tool analyzes massive datasets including 71M+ commits, tracks 4 million package versions, and checks 2.2M+ open source users to provide comprehensive intelligence.
Primary use cases include evaluating new packages being considered for adoption, especially when security teams need clarity before introducing them into projects. It helps compliance and procurement groups assess vendor risk in open source dependencies. Engineering teams can use it during development to surface risk signals and suggest package alternatives directly in their IDEs. The tool is particularly valuable for organizations with critical systems that require thorough dependency vetting.
Target users include security teams, engineering teams, compliance groups, and procurement groups within organizations that use open source software. The tool integrates with developer workflows through IDE extensions for VS Code, Cursor, Windsurf, and other supported editors, plus a CLI tool for terminal access. It can review open source packages and contributors within all ecosystems, requiring no installation for basic use with optional extensions available. Pricing and plan details are available through sales consultation.
DepsDiver provides essential visibility into open source dependency risks, enabling organizations to proactively identify and mitigate threats before they impact production systems. By combining comprehensive repository analysis with seamless developer tool integration, it helps teams build more secure software from the ground up while maintaining development velocity and confidence in their dependency choices.
DepsDiver targets security teams, engineering teams, compliance groups, and procurement groups within organizations that use open source software. These users need to evaluate new dependencies to reduce FOCI exposure and make confident decisions before introducing packages into critical systems. The tool serves organizations with software supply chains that require thorough dependency vetting, particularly those with security-sensitive applications or regulatory compliance requirements. Both technical teams doing development and non-technical groups overseeing procurement and compliance can benefit from its insights.
Updated 2026-02-28