Teams use Renovate for updates but lack a single-pane-of-glass view showing which packages are approaching EOL, which are obsolete, and which are healthy — forcing manual checks across multiple tools and data sources.
Connects to your repos, generates SBOMs automatically, enriches with EOL data feeds and GitHub project health signals, and presents a risk-prioritized dashboard showing dependency status across your entire org.
SaaS subscription tiered by number of repos/services monitored (free for up to 5 repos, paid tiers for teams and enterprise).
The pain is real but episodic — teams feel it during audits, incidents, or when a runtime hits EOL unexpectedly. The Reddit thread had only 5 upvotes and 7 comments, suggesting moderate rather than burning pain. Most teams tolerate manual checking or cobble together scripts. It's a 'vitamin not painkiller' problem for many — painful for platform teams at scale but not urgent enough to trigger immediate purchasing for most.
TAM is mid-sized. Target is DevOps/platform teams at companies with 50+ developers and multiple services. Roughly 50K-100K such organizations globally. At $200-500/month average, that's a $120M-600M addressable market. However, realistic serviceable market is much smaller — maybe 5K-10K orgs that have both the pain AND budget, putting SAM at $12M-60M. Not a venture-scale market on its own, but viable for a profitable SaaS.
This is the weakest dimension. DevOps teams already pay for Snyk/Sonatype/JFrog and may resist adding another tool. The 'EOL visibility' feature could be perceived as something their existing SCA tool SHOULD do, making it a feature request rather than a product. Free alternatives exist (endoflife.date + Xeol + scripts). Budget holders may struggle to justify a separate line item for 'dependency health visibility' vs. 'security scanning.' Would need to demonstrate clear ROI through avoided incidents or audit readiness.
Highly buildable. Core components: GitHub/GitLab API integration for repo scanning, Syft or similar for SBOM generation, endoflife.date API for EOL data, GitHub API/OpenSSF Scorecard for health signals, and a dashboard frontend. A competent solo dev could build an MVP in 6-8 weeks using existing open-source tools (Syft for SBOMs, endoflife.date API, Libraries.io API for health signals) and a standard web stack. The data sources are freely available. Main technical challenge is accurate package-to-EOL mapping for individual libraries (not just runtimes).
Clear gap exists. No tool provides a unified, risk-prioritized dashboard combining EOL dates + package obsolescence + maintenance health across repos. Xeol is closest but is CLI-only. Snyk/Sonatype focus on CVEs. Renovate handles updates but not visibility. Everyone does SBOMs and vulns; nobody does lifecycle dashboards well. The risk is that Snyk or GitHub adds this as a feature within 12-18 months, but first-mover advantage in the niche is real.
Strong subscription fit. Dependencies change constantly, new EOL dates are announced regularly, new packages are added — the data is inherently dynamic and needs continuous monitoring. Teams would check this dashboard weekly/monthly. Org-wide visibility is sticky once adopted by platform teams. Natural expansion from 5 repos to 50 to 500 as trust builds.
- +Clear market gap — no tool unifies EOL tracking, obsolescence signals, and dependency health into a single cross-repo dashboard
- +Technically very feasible using existing open-source data sources (endoflife.date, OpenSSF Scorecards, Libraries.io, Syft)
- +Strong regulatory tailwinds (SBOM mandates, EU CRA) pushing organizations toward better dependency visibility
- +Natural land-and-expand model (free 5 repos → paid team → enterprise) with good retention mechanics
- +Low competition in the specific niche — incumbents (Snyk, Sonatype) are focused on vulnerability scanning, not lifecycle management
- !Feature-not-product risk: Snyk, GitHub, or JFrog could add EOL dashboard features and commoditize this overnight
- !Willingness-to-pay is uncertain — DevOps teams already have tool fatigue and may resist another dashboard subscription
- !Low engagement signal from source (5 upvotes, 7 comments) suggests moderate, not intense, demand
- !Package-level EOL tracking (vs. runtime-level) is technically harder and data sources are incomplete
- !Selling to 'platform teams at mid-to-large companies' means enterprise sales cycles, which are slow and expensive for a solo founder
Open-source CLI scanner that detects end-of-life packages and runtimes in container images, SBOMs, and directories. Uses endoflife.date as its data source. Part of the Anchore/Syft/Grype ecosystem.
Leading SCA platform scanning dependencies for known vulnerabilities, providing automated fix PRs, SBOM export, license compliance, and continuous monitoring across repos.
Free, open-source platform for SBOM ingestion and continuous vulnerability analysis. Provides a web dashboard for tracking component vulnerabilities across projects.
Supply-chain security platform using behavioral analysis to detect malicious packages, typosquatting, and suspicious code. Includes package quality/health scoring.
SCA platform with unique 'Open Source Health' scoring that evaluates maintenance activity, community size, popularity, and update frequency alongside vulnerability and license scanning. Acquired by JFrog in 2022.
GitHub App that scans connected repos, generates SBOMs via Syft, cross-references against endoflife.date API + OpenSSF Scorecard + Libraries.io API, and renders a single dashboard showing: (1) packages/runtimes past or approaching EOL with timeline, (2) unmaintained/deprecated packages ranked by risk, (3) per-service health score. Start with npm + Python + Go ecosystems only. Ship as a hosted web dashboard with GitHub OAuth login.
Free tier (up to 5 repos, basic EOL alerts) → Team plan at $49/month (25 repos, Slack/email alerts, export reports) → Business at $199/month (unlimited repos, JIRA integration, compliance reports, API access) → Enterprise custom (SSO, self-hosted, SLA, audit logs). Consider usage-based pricing on number of monitored packages rather than repos for better unit economics.
3-5 months. Month 1-2: Build MVP with GitHub integration and core dashboard. Month 3: Launch on Product Hunt and r/devops, offer free tier. Month 4-5: Convert early adopters to paid plans. First meaningful revenue ($1K MRR) likely at month 5-6. Getting to $10K MRR will require either enterprise deals or significant organic growth, likely 12-18 months.
- “how do you guys keep track of which of your packages are obsolete, approaching EOL or still fine? I mean in a dashboard way”
- “renovate handles updates, but visibility is the real gap here”
- “a lot of teams combine SBOM tools + dashboards to actually see risk over time”
- “checking multiple tools manually”
- “if your codebase is big enough, you basically need a dedicated developer for fixing this”