It-Depends is a tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories. It supports Go, JavaScript, Rust, Python, C/C++ (cmake and autotools), and Ubuntu packages.

What makes it different from similar tools:

• Resolves all possible dependency versions, not just a single feasible resolution
• C/C++ support via cmake and autotools without building the project
• Automated native library dependency mapping via dynamic analysis (e.g., pytz depends on libtinfo.so.6)
• Vulnerability scanning against the OSV database
• Dependency similarity comparison between packages

pip3 install it-depends

Ecosystem-specific tools must be installed separately: npm for JavaScript, cargo for Rust, pip for Python, autotools/cmake for C/C++. Native dependency resolution and Ubuntu package analysis require a Docker-compatible container runtime with an accessible socket (e.g., Docker Desktop, Podman, or Colima).

it-depends .                            # Analyze current directory
it-depends /path/to/project             # Analyze a source repository
it-depends "pip:numpy"                  # Analyze a pip package
it-depends "ubuntu:libc6@2.31"          # Analyze an Ubuntu package
it-depends "npm:lodash@>=4.17.0"        # Specify a version constraint
it-depends --audit pip:numpy            # Include vulnerability audit
it-depends . --list                     # List compatible resolvers
it-depends --output-format dot .        # Output as Graphviz/Dot
it-depends --depth-limit 1 pip:numpy    # Only direct dependencies

git clone https://github.com/trailofbits/it-depends
cd it-depends
make dev
uv run it-depends --help
make format lint

This research was developed by Trail of Bits based upon work supported by DARPA under Contract No. HR001120C0084 (Distribution Statement A, Approved for Public Release: Distribution Unlimited). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

Evan Sultanik and Evan Downing are the active maintainers. Felipe Manzano, Alessandro Gario, Eric Kilmer, Alexander Remie, and Henrik Brodin all made significant contributions to the tool's inception and development.