How it works

Few teams are building applications using only one open source ecosystem. Instead, they have hundreds-to-thousands of dependencies from package managers such as Maven, RubyGems, and npm.

• We use automated tools integrated with your existing GitHub workflow to understand exactly which packages you actually use—your full dependency graph, including indirect dependencies.
• We define uniform standards for commercial-grade maintenance, security, and legal vetting.
• We enlist—and pay—the upstream projects themselves to keep your dependencies maintained to these uniform standards.
• We keep you informed and updated about your dependencies—whether there's a new security issue or an exciting new feature, you'll be the first to know.
• When packages fail to meet our standards, we'll get it fixed.
• Subscriptions cover core packages you've heard of, but also the deep dependency graph of 1000+ packages found in typical applications.