Live dependency graph
56 repos. 188 cross-repository edges. Click any node to see what depends on it and simulate the blast radius of a breaking change.
What this graph says
Five repos carry almost everything:
prometheus/common (28 dependents),
client_golang (25),
client_model (23),
prometheus/prometheus (23),
and exporter-toolkit (22).
If you've contributed to the org, this ranking is calibration, not surprise — and that's the point. The graph confirms the mental model
a senior maintainer already has, in a form a new engineer can read on day one.
The bottom row of disconnected repos is doing two different things. Most are repos whose dependencies leave the org entirely
(lezer-promql imports five npm packages cleanly — they're just not Prometheus packages). The rest are repos in
ecosystems Riftmap can't yet parse. The graph treats them identically. The writeup below doesn't.
client_golang is imported from prometheus/prometheus three separate times — once each in
go.mod, exp/go.mod, and tutorials/whatsup/go.mod. Riftmap surfaces each manifest as
its own reference rather than collapsing them. "We bumped the dependency" and "we bumped every reference to the dependency"
are not the same statement, and Go monorepos are exactly where that bug hides.
The honest list of parser gaps in this scan:
no pom.xml (so client_java and jmx_exporter come out unconnected),
no pyproject.toml (client_python),
no Gemfile (client_ruby),
no Cargo.toml (client_rust).
These are real, named gaps — next on the parser roadmap, roughly in that order.
A scan that doesn't tell you what it missed isn't a scan you should trust.
A read-only token, ~90 seconds to first scan, free for 15 repos. The graph above is what you get back — interactive, file-level evidence, impact mode included.
Scan your own orgFurther reading
I scanned all 56 repos in the Prometheus org with Riftmap. Here's the cross-repo dependency graph, including the 25 repos that import client_golang.
Read the deeper dive