DepsDiver is a dependency risk analysis platform from Hunted Labs that provides deep repository and dependency intelligence on open source software packages. It is designed for security, engineering, compliance, and procurement teams who need to identify adversarial foreign influence, maintainer control, and governance risk across the projects their organization depends on. The core value of DepsDiver lies in revealing hidden threats within open source dependencies before they are ever adopted, allowing teams to make informed decisions and reduce the attack surface of their software supply chain. By analyzing commit histories, contributor behavior, and project evolution, it transforms opaque open source packages into transparent, assessable components.
The concrete problem DepsDiver solves is the blind reliance on unvetted dependencies, which is a foundational risk in modern software development. Organizations often adopt packages without understanding who contributes to them, whether there are shifts in maintainer control, or if there are signals of foreign influence that could lead to supply chain attacks. This lack of visibility means that malicious code, backdoors, or subtle manipulations can be introduced into critical systems without detection. DepsDiver addresses this by providing the visibility needed to identify adversarial influence and deploy secure alternatives, ensuring that teams are no longer flying blind when selecting open source components. It matters because a single compromised dependency can cascade into a widespread security incident.
The first major feature group is the "Vet Before Adoption" capability, which allows teams to analyze project evolution, commit history, and shifts in contributor influence before dependencies are introduced into their critical systems. This feature works by surfacing the full historical timeline of a package, showing who contributed what code, when, and how that contributor's role may have changed over time. By examining the distribution of commits among maintainers, DepsDiver reveals whether a project has become dominated by a single entity or has experienced suspicious changes in ownership. This is useful because it helps security and engineering teams spot red flags early, such as a sudden influx of contributions from unfamiliar or sanctioned sources, enabling them to avoid adopting potentially compromised packages.
The second major feature group is the "Surface Inherent Risk" analysis, which encompasses maintainer activity, project behavior, signals of foreign influence, OpenSSF Scorecard scores, licensing details, and release information. When a user enters a package into DepsDiver, the tool aggregates data from multiple sources to provide a comprehensive risk profile. The OpenSSF Scorecard offers a standardized security assessment, while the foreign influence detection highlights contributions from entities that may be under adversarial control. Licensing details clarify usage rights, and release history reveals if the package has been rapidly versioned in an attempt to push malicious updates. This feature is critical because it gives teams a holistic view of a dependency's trustworthiness, allowing them to quickly triage and reject high-risk packages before they ever reach production.
admin
The third group of features includes DepsDiver Assist, an IDE extension that surfaces risk signals and suggests package alternatives directly during development, and Diver CLI, a command-line tool for scanning and analyzing projects from the terminal. DepsDiver Assist integrates with VS Code, Cursor, Windsurf, and other supported editors, enabling developers to see real-time risk data without leaving their coding environment. It can automatically recommend safer alternative packages when a high-risk dependency is detected. Diver CLI allows teams to batch scan entire projects or repositories, integrating dependency intelligence into automated CI/CD pipelines. Together, these tools extend DepsDiver's capabilities beyond the web interface, embedding risk assessment into the daily workflows of developers and security engineers.
DepsDiver works through a straightforward four-step workflow designed to integrate seamlessly into existing adoption processes. Step one begins by entering a package name, repository URL, contributor identity, or email domain directly into the browser or from within an IDE using the Assist extension. Step two automatically surfaces inherent risk by showing maintainer activity, project behavior, and signals of foreign influence. Step three empowers the user to act before adopting by using these insights to assess and mitigate risk before the dependency reaches production. Step four extends visibility into the IDE, where developers can track foreign influence in their packages continuously as they code. This workflow ensures that risk assessment happens at every stage of the dependency lifecycle, from initial consideration to ongoing use.
Concrete use cases covered by DepsDiver include security teams evaluating a new npm package before adding it to a critical microservice, where they analyze its commit history to detect any sudden takeover by a single unverified contributor. Engineering teams reviewing a Python library's governance risk by examining shifts in maintainer control and checking the OpenSSF Scorecard for security hygiene. Compliance officers use DepsDiver to assess foreign influence in Java dependencies to reduce FOCI exposure, ensuring that no sanctioned entities are contributing to supply chains. Procurement evaluators check maintainer control of Ruby gems before signing licensing agreements. Developers in their IDE can surface risk in real time, catching malicious packages like the ones highlighted in Hunted Labs' threat reports on EasyJSON and Fast-Glob. The outcome is a measurable reduction in supply chain risk, faster adoption decisions, and stronger security posture.
Target users for DepsDiver include security teams, engineering teams, compliance groups, and procurement groups who need to evaluate new dependencies to reduce FOCI exposure. The platform works across all open source ecosystems, with no installation required for the web interface. Optional developer tools like DepsDiver Assist (VS Code, Cursor, Windsurf) and Diver CLI (command-line) enhance accessibility for technical teams. Pricing details are available via contact with Hunted Labs, but the product is positioned as a pre-adoption intelligence layer that complements their continuous monitoring platform, Entercept. In summary, DepsDiver transforms dependency selection from a blind leap into a data-driven decision, empowering organizations to hunt threats before they enter the software supply chain. With over 9.4 billion commits analyzed, 71 million package versions tracked, and 2.2 million open source users checked, it offers unprecedented visibility into the true nature of open source dependencies.
DepsDiver is built for security teams responsible for vetting open source dependencies and preventing supply chain attacks. Engineering teams and DevOps engineers use it to make informed package adoption decisions during development. Compliance officers and governance specialists rely on DepsDiver to assess FOCI exposure and ensure regulatory adherence across software supply chains. Procurement groups and vendor risk analysts also benefit by evaluating maintainer control and licensing risks before purchasing or licensing third-party code. Additionally, software architects and security champions who need to embed dependency intelligence into CI/CD pipelines will find value in DepsDiver's CLI and IDE integration. The platform assists organizations of all sizes that rely on open source libraries and need to identify adversarial foreign influence early in the adoption process.