DeepReach: Dependency Blind-Spot Investigator

DeepReach uses CRAFT to identify open-source packages whose ecosystem importance is hidden behind transitive dependency chains.

The agent investigates the ⁠ DEPS_DEV_V1 ⁠ dependency graph, selects the latest available table snapshot, filters to the highest successfully resolved dependent releases, canonicalizes path-encoded package identities, and compares visible direct usage with total downstream reach.

The investigation found that ⁠ inherits@2.0.4 ⁠ has only three canonical direct dependent nodes, but reaches 87 downstream nodes across seven dependency levels. Its actual reach is 29 times larger than its visible direct footprint, with 96.55% of its exposure hidden transitively.

By comparison, ⁠ tslib@2.7.0 ⁠ appears much larger through direct usage—43 nodes versus three—but its total reach is only slightly larger: 97 versus 87.

DeepReach shows why engineering and software-supply-chain teams should prioritize foundational dependencies using hidden downstream reach and transitive amplification, rather than direct-dependent counts alone.

Built With

  • emergent
Share this project:

Updates