fastapi10 deps
Click result to explore

Inspired by XKCD 2347

Remember XKCD 2347?

The dependency audit you'll actually open.

Drop in a manifest or connect a repo. Stacktower builds the full dependency tower and finds the CVEs, brittle packages, and license conflicts hiding in your transitives. Then it ranks what to fix first.

The comic was funny. Your dependency incidents are not.

Read-only access to repos you approveWe never store source code

Free for public repos · Pro $9/mo with 14-day money-back · See pricing

CVE detectionLicense auditsBrittle dep alerts

Try it yourself first

Search any package from PyPI, npm, crates.io, and more. Get the tower in seconds, see why dependency sprawl gets weird fast, then run it on your real repo.

Select a package

Popular packages

Preview

Click result to explore

Your tower will appear here

Select a package and click Build Tower

Want the full picture on your actual stack?

Private GitHub repos, diffs, SBOM export, and version history on Pro

How it works

From dependency graph to actionable fixes in minutes

1

Map your graph

Search any package or connect your GitHub repo. We resolve direct and transitive dependencies automatically.

2

Analyze risks

Triage flags CVEs, license issues, brittle packages, and upgrade risk with code-aware context.

3

Ship prioritized fixes

Get a ranked action plan for what to fix now, what can wait, and how to execute safely.

4

Automate in CI

Add the GitHub Action to get tower diffs on every PR. Gate merges on new vulns, license drift, or brittle deps.

AI-Powered Triage

See exactly what to fix first

Our agent scans for security vulnerabilities, brittle dependencies (single maintainer, abandoned), and license issues — then tells you exactly what to fix.

B
24 direct, 127 transitive|2 critical2 warnings1 cleanup

Found 1 CVE, 1 brittle package, and 1 license issue to review.

Analyzing dependencies...

Security Vulnerability Detection

Identifies known CVEs and security advisories across your entire dependency tree, including transitive dependencies.

Brittle Dependency Detection

Identifies risky packages: single maintainer, abandoned projects, low bus factor, and outdated dependencies.

Bundle Optimization

Find duplicate packages, unused dependencies, and bloated alternatives to reduce your bundle size.

License Compliance

Audit your dependency licenses to ensure compliance with your organization's policies.

1 AI analyses/month on Free · 20/month on Pro ($9/mo)

GitHub ActionPro

Dependency diffs on every pull request

Two lines of YAML. Every PR that touches a manifest gets a tower diff comment with stats, new vulns, license issues, and optional AI triage — automatically.

stacktowerbotcommented just now

Dependency Tower Diff

+7 added · ~2 updated · 1 unchanged · 🚨 1 new vuln

🚨 New Vulnerabilities

PackageVersionSeverity
certifi2024.2.2HIGH

Added

  • starlette 0.36.3
  • httptools 0.6.1
  • python-dotenv 1.0.1
  • uvloop 0.19.0
  • watchfiles 0.21.0
  • httpx 0.27.0
  • certifi 2024.2.2

Updated

PackageBeforeAfter
pydantic1.10.142.6.4
typing-extensions4.9.04.10.0
BeforeAfter
Tower (before)Tower (after)

Generated by Stacktower · View diff · Before tower · After tower

.github/workflows/stacktower.yml
name: Dependency Diff
on: [pull_request]

jobs:
  tower:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: stacktower-io/stacktower-action@v1
        with:
          api-key: ${{ secrets.STACKTOWER_KEY }}
          fail-on-vuln: true

Auto-detects manifests

Finds changed package.json, go.mod, Cargo.lock, pyproject.toml, and more — one comment per manifest.

CI gates on new vulns

Fail the check when new CVEs appear. No severity threshold config — any new vuln = red.

License & brittle alerts

Flag copyleft drift, abandoned packages, and single-maintainer risk before they merge.

Optional AI triage

Add investigate: true for a prioritized fix plan right in the PR comment.

Requires Pro plan ($9/mo) · Read the docs

“All modern digital infrastructure depends on a project some random person in Nebraska has been mass-maintaining since 2003”

XKCD 2347

A small manifest can pull in hundreds of transitive dependencies. Most teams never see the real risk until it shows up in production.

Example: a typical Node service

12

packages in the manifest

847

transitive deps inherited

3

with known CVEs

1

unmaintained since 2019

Simple, transparent pricing

Choose the right plan for you

Start for free and upgrade when you need private repos, diffs, SBOM export, and more AI analyses.

Free

For exploring public dependencies.

$0/forever
  • 200 parses / month
  • 20 renders / month
  • 1 Triage AI analysis / month
  • 500 MB storage
  • Public packages only
Most Popular
Pro

Full-featured for individuals.

$9/per month
  • 2,000 parses / month
  • 200 renders / month
  • 20 Triage AI analyses / month
  • 10 GB storage
  • Private GitHub repos
  • GitHub Action (PR dependency diffs)
  • API access (up to 3 keys)
  • SBOM export (CycloneDX / SPDX)
  • Dependency diff comparison
Enterprise

For teams with compliance requirements.

Custom/contact sales
  • Everything in Pro
  • Unlimited usage
  • 50+ GB storage
  • Team organizations
  • Audit logs
  • Dedicated support
Contact Sales

14-day money-back guarantee on your first paid month · See full pricing

Trending on Stacktower

Cookie Preferences

We use essential cookies for authentication. We also use analytics cookies to understand how you use Stacktower and improve the experience. Read our Privacy Policy.