v1.0.0 — Now Available

Be Undependent.
Own Your Code.

Eliminate supply chain risk by absorbing third-party dependencies into your codebase. No external registries. No upstream compromise possible.

Scan Your Repo — Free See How It Works
~/your-project

Supply chain attacks that Undependent prevents

xz backdoor Event Stream ua-parser-js left-pad dependency confusion typosquatting

Why Undependent

Other tools detect risk. Undependent eliminates it.

Dependency Sovereignty

Absorb dependencies into your codebase. You own the code. No more trusting external registries that can be compromised, nuked, or license-changed.

Lockfile Integrity

SHA256 hashes of every inlined file. Detect tampering immediately. If a file drifts, you know before it ships.

CVE Scanning

OSV API integration for real-time vulnerability detection. Scan on every push, daily cron, or on-demand.

Attack Surface Mapping

See exactly which YOUR files import inlined dependencies. Know your blast radius before an incident happens.

License Compliance

Auto-detect project license. Check every dependency for compatibility. Generate SBOM + SPDX for audits.

Multi-Language

Go, Python, JavaScript/TypeScript, Rust. One tool for your entire stack.

How It Works

Four steps to supply chain sovereignty

1

Analyze

Scan your codebase to identify every third-party dependency and which of YOUR files actually use them.

undep analyze
2

Absorb

Inline the dependencies you need directly into your codebase. Create a lockfile with SHA256 hashes of every file.

undep inline --pr
3

Verify

Validate your build, check file integrity against hashes, scan for CVEs, and verify license compliance.

undep verify
4

Automate

Integrate into CI/CD. Every PR checks integrity. Every push scans for new CVEs. Every release generates compliance artifacts.

undep diff && undep verify

Try It Free — No Account Needed

Run undep analyze on your repo. See your supply chain risk in seconds.

Free forever with AGPL license. Commercial licenses available for companies.

Pricing

The tool is free. Pay only when your company needs to.

Community

$0/forever

AGPL licensed. The full CLI, unlimited everything. No account needed.

  • Full CLI: analyze, inline, verify
  • Unlimited repos & users
  • Self-hosted, no cloud
  • CVE scanning
  • Community support
Download Free

Single Scan

$99/repo

One-time cloud scan. Full PDF report with CVEs, licenses, risk score, and SBOM export.

  • Full analysis report
  • SBOM + SPDX export
  • Remediation roadmap
  • Delivered in 24 hours
  • No subscription required
Scan a Repo — $99
Most Popular

Commercial

$299/yr

Same CLI, commercial license. No AGPL viral terms. Use internally without open-sourcing.

  • Everything in Community
  • Commercial license
  • Email support
  • Priority bug fixes
  • Unlimited users & repos
Get License — $299/yr

Additional Services

Monitoring GitHub App Compliance Dashboard Air-Gapped Solutions

Custom pricing based on your needs. Talk to us.

Your code, your rules. Absorb dependencies into your codebase. Eliminate supply chain risk at the source — not just detect it. Start free, upgrade when your company needs to.

Undependent vs Alternatives

The only tool that actually solves supply chain risk

Feature Undependent Snyk Dependabot Socket
Eliminates risk
Passive detection only
Lockfile integrity
Attack surface mapping
SBOM + SPDX
License compliance
Multi-language
Price Free (AGPL) / $299/yr commercial $29/user/mo ($348+/yr per user) Free (GitHub Free) / $4/user/mo $500+/mo (per team)

Need Something Custom?

Enterprise licensing, on-prem deployment, dedicated support, or custom integrations. We'll work with you.

Or email us directly at sales@undependent.dev

Ready to be Undependent?

Join the supply chain sovereignty movement. Your code, your rules.

Scan Your Repo — Free View on GitHub