Stacktower - AI-Powered Dependency Analysis | Stacktower

JavaScript Required

Stacktower requires JavaScript to run. Please enable JavaScript in your browser settings.

fastapi10 deps<br>Click result to explore

Inspired by XKCD 2347

Remember XKCD 2347?<br>The dependency audit you'll actually open.<br>Drop in a manifest or connect a repo. Stacktower builds the full dependency tower and finds the CVEs, brittle packages, and license conflicts hiding in your transitives. Then it ranks what to fix first.<br>The comic was funny. Your dependency incidents are not.

Analyze my repoTry a package live<br>Read-only access to repos you approveWe never store source code<br>Free for public repos · Pro $9/mo with 14-day money-back · See pricing

CVE detectionLicense auditsBrittle dep alerts

Try it yourself first<br>Search any package from PyPI, npm, crates.io, and more. Get the tower in seconds, see why dependency sprawl gets weird fast, then run it on your real repo.

Select a package

PythonPythonJavaScriptRustGoRubyPHPJava

Build TowerRandom<br>Popular packagespythonfastapiopenaipydantic

javascriptexpressioredisknex

rustserdedieselhyper

gogithub.com/gin-gonic/gingithub.com/gofiber/fiber/v2github.com/labstack/echo/v4

rubyrailssinatradevise

javaorg.springframework:spring-corecom.google.guava:guavaorg.apache.commons:commons-lang3

phplaravel/frameworksymfony/symfonyguzzlehttp/guzzle

Preview<br>Click result to explore

Your tower will appear here<br>Select a package and click Build Tower

Want the full picture on your actual stack?<br>Analyze my repoPrivate GitHub repos, diffs, SBOM export, and version history on Pro

How it works<br>From dependency graph to actionable fixes in minutes

Map your graph<br>Search any package or connect your GitHub repo. We resolve direct and transitive dependencies automatically.

Analyze risks<br>Triage flags CVEs, license issues, brittle packages, and upgrade risk with code-aware context.

Ship prioritized fixes<br>Get a ranked action plan for what to fix now, what can wait, and how to execute safely.

Automate in CI<br>Add the GitHub Action to get tower diffs on every PR. Gate merges on new vulns, license drift, or brittle deps.

AI-Powered Triage<br>See exactly what to fix first<br>Our agent scans for security vulnerabilities, brittle dependencies (single maintainer, abandoned), and license issues — then tells you exactly what to fix.

24 direct, 127 transitive|2 critical2 warnings1 cleanup<br>Found 1 CVE , 1 brittle package , and 1 license issue to review.

Analyzing dependencies...

Security Vulnerability Detection<br>Identifies known CVEs and security advisories across your entire dependency tree, including transitive dependencies.

Brittle Dependency Detection<br>Identifies risky packages: single maintainer, abandoned projects, low bus factor, and outdated dependencies.

Bundle Optimization<br>Find duplicate packages, unused dependencies, and bloated alternatives to reduce your bundle size.

License Compliance<br>Audit your dependency licenses to ensure compliance with your organization's policies.

Start with GitHub1 AI analyses/month on Free · 20/month on Pro ($9/mo)

GitHub ActionPro<br>Dependency diffs on every pull request<br>Two lines of YAML. Every PR that touches a manifest gets a tower diff comment with stats, new vulns, license issues, and optional AI triage — automatically.

stacktowerbotcommented just now<br>Dependency Tower Diff<br>+7 added · ~2 updated · 1 unchanged · 🚨 1 new vuln<br>Health Comparison<br>Package Changes 🚨 New Vulnerabilities<br>PackageVersionSeveritycertifi2024.2.2HIGH<br>Added<br>starlette 0.36.3<br>httptools 0.6.1<br>python-dotenv 1.0.1<br>uvloop 0.19.0<br>watchfiles 0.21.0<br>httpx 0.27.0<br>certifi 2024.2.2<br>Updated<br>PackageBeforeAfterpydantic1.10.142.6.4typing-extensions4.9.04.10.0

Towers BeforeAfter

Generated by Stacktower · View diff · Before tower · After tower

.github/workflows/stacktower.yml<br>name: Dependency Diff<br>on: [pull_request]

jobs:<br>tower:<br>runs-on: ubuntu-latest<br>steps:<br>- uses: actions/checkout@v4<br>- uses: stacktower-io/stacktower-action@v1<br>with:<br>api-key: ${{ secrets.STACKTOWER_KEY }}<br>fail-on-vuln: true

Auto-detects manifests<br>Finds changed package.json, go.mod, Cargo.lock, pyproject.toml, and more — one comment per manifest.

CI gates on new vulns<br>Fail the check when new CVEs appear. No severity threshold config — any new vuln = red.

License & brittle alerts<br>Flag copyleft drift, abandoned packages, and single-maintainer risk before they merge.

Optional AI triage<br>Add investigate: true for a prioritized fix plan right in the PR comment.

Set up the ActionRequires Pro plan ($9/mo) · Read the docs

“All modern digital infrastructure depends on a project some random person in Nebraska has been mass-maintaining since 2003”<br>— XKCD 2347<br>A small manifest can pull in hundreds of transitive dependencies. Most teams never see the real risk until it shows up in production.<br>Example: a typical Node service<br>12<br>packages in the manifest

847<br>transitive deps inherited

with known CVEs

unmaintained since 2019

Fits into the way you work<br>Start from a...