Interesting project! Though, it's usually the smaller and less known-about projects that fall victim to OSS supply-chain attacks (such as the XZ attack).

Since this is a manual check, I worry that most users will just check the big and grandiose dependencies that they have.

Who would you say are your target audience with this tool? OSS developers? Security researchers? Regular users? Corporate managers?

Thank you for the thoughtful comment! You raise an excellent point about smaller projects being overlooked.

That's actually one of the key problems this tool aims to address. While it's a manual check, the tool helps you examine ALL dependencies in your project - including those smaller, lesser-known libraries that often slip under the radar.

The dependency check option (`os4g check --show-dependencies`) is particularly valuable here: it often reveals that well-known, popular libraries actually depend on small, undermaintained projects. This visibility helps users discover these hidden but critical dependencies that might otherwise go unnoticed.

The target audience is primarily general users and developers who may not be deeply familiar with OSS sustainability issues, rather than OSS maintainers or security researchers who already understand these problems well. The goal is to raise awareness and help everyday developers understand the health status of their entire dependency tree, so they can make more informed decisions and potentially contribute back to these smaller projects that their software relies on.