What is PkgWatch?
PkgWatch is a dependency health intelligence platform that helps developers predict which npm and Python packages are at risk of abandonment, maintenance decline, or security issues—before they break your build.
Unlike traditional security scanners that only detect known vulnerabilities, PkgWatch uses predictive analytics to identify packages showing early warning signs of trouble. By analyzing maintenance patterns, contributor activity, and community signals, PkgWatch gives you a health score (0-100) for every package in your dependency tree.
The Problem PkgWatch Solves
Modern applications depend on hundreds—sometimes thousands—of third-party packages. When a critical dependency gets abandoned, compromised, or sabotaged, the impact can be catastrophic. And by the time traditional security tools detect a problem, it's often too late.
Maintainer intentionally corrupted packages with infinite loops, breaking thousands of projects overnight. Over 25 million weekly downloads affected.
Maintainer handed off project to an attacker who injected cryptocurrency-stealing malware. Over 2 million downloads contained the malicious code.
An 11-line package was unpublished, breaking React, Babel, and thousands of builds worldwide. Caused a global npm outage.
These weren't security vulnerabilities in the traditional sense. They were maintainer problems—a blind spot in traditional security tooling that PkgWatch is designed to address.
What PkgWatch Does
PkgWatch continuously monitors packages across npm and PyPI registries, analyzing signals that indicate package health and maintainer engagement. Here's what you get:
- Health Scores (0-100)
Quantified package health based on maintenance signals, update frequency, issue responsiveness, and community engagement.
- Abandonment Risk Prediction
Early warning system that identifies packages showing signs of declining maintenance before they become unmaintained.
- Maintenance Decline Detection
Track changes in maintainer activity over time. Know when a package transitions from actively maintained to stale.
- Security Risk Assessment
Identify packages vulnerable to supply chain attacks due to single-maintainer risk, lack of 2FA, or suspicious ownership changes.
How PkgWatch Works
PkgWatch collects data from multiple sources to build a comprehensive picture of package health:
- npm Registry — Download counts, version history, maintainer information
- PyPI Registry — Release patterns, metadata, maintainer activity
- GitHub — Commit frequency, issue response times, PR merge rates, contributor count
- deps.dev — Dependency graphs, security advisories, license information
Our scoring algorithms analyze these signals to produce a health score and risk assessment for each package. The methodology is transparent and documented—you can learn more on our methodology page.
Ways to Use PkgWatch
PkgWatch integrates into your workflow however you prefer:
REST API
Query package health scores programmatically. Get detailed risk assessments, maintenance metrics, and historical data for any npm or PyPI package.
CLI Tool
Check package health from your terminal. Scan your package.json or requirements.txt and get instant feedback on dependency risks.
GitHub Action
Automatically scan dependencies on every pull request. Block merges when high-risk packages are detected. Configurable thresholds.
PkgWatch vs Other Tools
Traditional tools like npm audit,
Snyk, and Dependabot focus on known vulnerabilities—CVEs that have already been discovered and reported.
These tools are essential, but they're inherently reactive.
PkgWatch takes a different approach: predictive intelligence. Instead of waiting for a vulnerability to be disclosed, PkgWatch identifies packages that are likely to become problematic based on maintenance patterns and community health signals.
| npm audit / Snyk | PkgWatch | |
|---|---|---|
| Approach | Reactive (known CVEs) | Predictive (early warning) |
| Detects abandonment | No | Yes |
| Maintenance health | No | Yes |
| Supply chain risk | Limited | Comprehensive |
We recommend using PkgWatch alongside traditional security tools for comprehensive coverage.
Frequently Asked Questions
Is PkgWatch free?
Yes, PkgWatch offers a free tier with 5,000 requests per month—enough for most individual developers and small projects. Paid plans start at $9/month for higher limits. View pricing.
What package registries does PkgWatch support?
PkgWatch currently supports npm (Node.js/JavaScript) and PyPI (Python) package registries. Support for additional registries is on our roadmap.
How is PkgWatch different from npm audit?
npm audit checks for
known security vulnerabilities (CVEs). PkgWatch predicts abandonment risk and maintenance decline
before they become security issues—it's predictive rather than reactive.
Can I use PkgWatch in my CI/CD pipeline?
Yes. PkgWatch provides both a CLI tool (@pkgwatch/cli)
and a GitHub Action for seamless CI/CD integration. You can configure thresholds to block merges
when high-risk packages are detected.
Ready to try PkgWatch?
Start monitoring your dependencies for free. No credit card required.