Skip to Content
SCA & DependenciesAI Recommendations

AI-Powered Recommendations

CodeStax uses AI to suggest safer alternative packages when your dependencies have license conflicts, security issues, or low health scores.

How It Works

When CodeStax detects a dependency with a problematic license (e.g., a copyleft license in a proprietary project) or a consistently vulnerable package, it queries its AI engine to recommend drop-in replacements. Recommendations consider:

  • License compatibility — Suggests packages with permissive licenses that match your project’s license policy.
  • Functional equivalence — Recommends packages that provide similar functionality.
  • Security posture — Prefers packages with fewer historical CVEs and active maintenance.
  • Community adoption — Favors packages with higher download counts and broader usage.

Where to Find Recommendations

License Conflicts

Navigate to SCA > Licenses. Any dependency flagged with a license conflict shows an Alternatives button. Click it to see AI-recommended replacements with compatible licenses.

Vulnerable Packages

In the SCA > Findings detail view, packages with recurring vulnerabilities or low health scores display a Suggested Alternatives section below the vulnerability details.

Dependency Detail

Click any dependency in SCA > Dependencies and scroll to the AI Recommendations tab. If the package has known issues, alternative suggestions appear here with migration notes.

What You See

Each recommendation includes:

  • Package name — The suggested alternative package.
  • License — The alternative’s license type.
  • Weekly downloads — Community adoption indicator.
  • Health score — CodeStax health score for the alternative.
  • Migration notes — AI-generated guidance on how the API differs and what changes are needed to switch.

Limitations

  • Recommendations are generated by AI and should be reviewed before adoption.
  • Not all packages have viable alternatives. Niche or highly specialized libraries may not have suggestions.
  • Migration notes provide general guidance but may not cover every edge case in your codebase.

Supported Ecosystems

AI recommendations are available for npm and PyPI packages. Support for additional ecosystems is planned.

Package Health ScoringJira Integration