TimurZheksimbaev/vite-plugin-dtsbom

vite-plugin-dtsbom scores a 2 on defensibility because it is a utility wrapper with zero recorded adoption (0 stars, 0 forks) in a highly saturated market. While the functionality is useful for supply chain security, it acts as a thin layer over existing SBOM standards. The project faces extreme competition from industry-standard tools like Syft (Anchore), Trivy (Aqua Security), and the official CycloneDX CLI, which offer deeper analysis (e.g., OS-level packages) beyond just Node.js dependencies. Furthermore, GitHub already provides native SBOM generation for any repository. There is no technical moat here; the logic for mapping a Vite dependency graph to an SPDX/CycloneDX schema is straightforward and easily replicated. The risk of platform domination is medium because while frontier AI labs won't build this, dev-tooling platforms like Vercel or Vite itself could easily integrate this as a core feature if demand warranted it. Given the age of 148 days without traction, the project is likely to remain a niche personal utility or be superseded by more robust security scanners.