DepGra scans your lockfiles (npm, PyPI, Cargo, Go), pulls CVE data from OSV.dev, and renders your dependency tree as an interactive DAG. Vulnerable packages are color-coded, and risk is ranked by graph centrality -- packages on more dependency paths score higher, regardless of raw CVSS.

Tech stack: Python/Flask + SQLite + NetworkX on the backend, Svelte + Cytoscape.js on the frontend. Runs fully local.

I built this because flat vulnerability lists lose all topological context. A HIGH vuln at a graph chokepoint is more dangerous than a CRITICAL on a leaf node, but no standard tool surfaces that. DepGra does.

CLI mode with `--fail-on` for CI/CD gating and JSON/CSV export. No auto-remediation -- it's a visibility tool. MIT licensed.

https://github.com/KPCOFGS/depgra