DepsDiver is a security tool that provides deep repository and dependency intelligence for open source software packages. It helps organizations identify risks associated with external software packages before they are adopted into projects, focusing on uncovering hidden dependency risks that go beyond known vulnerabilities.

The platform surfaces critical dependency risk information including project evolution, commit history, and changes in ownership or influence. It offers both a fully hosted platform and an optional IDE extension that provides real-time signals directly in developers' workflows. The tool analyzes maintainer activity, project behavior, and signals of foreign influence to help teams make informed decisions.

DepsDiver works through a control-first intelligence approach that activates the moment dependencies are introduced. Users can enter a package, repository, contributor, or email domain directly in the browser or from an IDE. The system then surfaces inherent risk factors including detection of foreign influence, contributor data, commit history, repository history, OpenSSF Scorecard, licensing, and release details.

The primary benefit is enabling teams to assess inherent risk before dependencies reach production, reducing uncertainty and avoiding preventable risk. This helps prevent insecure dependencies from being committed, reused, or scaled within an organization's software supply chain.

DepsDiver is designed for security teams, engineering teams, compliance groups, and procurement groups who need to evaluate new dependencies and reduce FOCI exposure. It integrates with development workflows through CLI tools and VSIX extensions for VS Code and other supported editors like Cursor and Windsurf.