How I built a dependency risk scanner with Coral in 7 days

— Captain's Log entry for the Pirates of the Coral-bean Hackathon. Why this project Every developer has 5-10 side projects with rotting dependencies and doesn't know it. The 2024 xz-utils backdoor was caught by accident — one engineer noticed SSH was 500 ms slower than usual. That's how close it came. Tools like Snyk and Dependabot catch known CVEs after they're published. Nothing checks the three signals that together predict a future supply-chain attack: active CVEs · abandoned maintainer · collapsing downloads. That three-way signal only exists if you can JOIN across OSV (Google's vulnerability database), the npm registry, and the npm download API. Which is exactly what Coral does. The query that took me 6 days to earn WITH pkg AS ( SELECT name, latest_version, repository__url, time__modified AS last_publish_at FROM npm.packages WHERE package_name = :pkg ), cves AS ( SELECT affected__package__name AS package_name, COUNT(*) AS cve_cou