DependencyWatch

Overview

An agentic dependency-health platform that scans a project manifest (or any public GitHub repo) and fuses four independent signals — security CVEs, maintenance activity, adoption, and live web chatter — into a single 0–100 'repair signal' per package, with a recommended action and a citable evidence trail. Built on Clean Architecture so every external provider degrades gracefully. Winner of the Tower Pipeline Challenge at the DeveloperWeek New York 2026 Hackathon.

Key Features

• Four-pillar scoring — Security (45%), Maintenance (30%), Live Chatter (15%), Adoption (10%) — fused into one repair signal
• Security-first override that caps vulnerable packages in the red, matching npm-audit behavior
• Multi-ecosystem scanning: npm, PyPI, Go, Rust, Maven, and SBOM (CycloneDX/SPDX)
• AI fusion chain: Claude → Groq → deterministic engine, with graceful degradation
• Live results streaming via Server-Sent Events, worst dependencies first
• Tower Python pipeline with parallel fan-out and an Apache Iceberg lakehouse cache for instant re-scans
• CI/CD GitHub Action that fails any PR introducing a critical dependency
• PDF/JSON report export, saved projects, and auto-generated alerts