Last year, our engineering team ran. 200+ dependency analysis by hand. Same thing every time: a customer will come to us and say, “We need to know what the end-of-life is in our stack.” We’ll dig through their dependency tree manually, reference everything we can find online, and provide a report.
More than 200 times we did it. And more than 200 times we faced the same problem.
There is no complete source of lifecycle data for open source software. Not from NVD. Not from your SCA vendor. Not from the registries themselves. The best public source we could find covers about 7,000 package versions. The actual number of EOL package versions in the wild is in the millions.
So we asked the obvious question: If no one has mapped which open source packages are dead, why don’t we?
That was 14 months ago. This is where we are now.
Tracks the dataset. 12M+ package version On npm, Maven, PyPI, NuGet, Go, Cargo, and others. Two sources of data feed it. First, official EOL announcements from caregivers and foundations. Second, and this is the part that took the most work, was to detect the maintainer dropout based on ML. Because most open source doesn’t get a formal end-of-life announcement. Promises just stop. Problems pile up. And the package looks perfectly healthy on the registry while no one is at home.
We found 81,000+ package versions in exactly the same state: known CVEs, zero remediation path, no maintainers coming to fix them. And here’s the detail that surprised us too: 93 percent of this risk Sits in transitory dependence. Packages that your team has never selected, never reviewed, and probably don’t even know exist.
There is a scanner. free. Upload a package.json, pom.xml, requirements.txt, go.mod, or any CycloneDX/SPDX SBOM. We dissect the entire tree and show you what’s dead, what’s dying, and what’s healthy. Takes about five minutes.
No credit card. No agent. No changes to the code.
Two things I would really like from this community:
Coverage Gaps. If you scan your stack and find a package or ecosystem we’re not tracking, let us know. We’re actively expanding and your feedback goes straight into the backlog.
Honest response. Does it really save you time? Is the output useful? What is missing? We made it because we needed it ourselves 200+ times last year. I would like to know if this solves the problem for you too.