Security risk assessments are typically made on known vulnerabilities (which is a problem). But operational risk is often ignored. Operational risk represents any potential outages that happen as a result of updates, as well as the overhead of responding to security issues. In the case of Log4j, one government agency reported spending 33,000 hours on the response, which caused severe service delays.
Endor Labs detects and surfaces potential breaking changes to downstream dependencies as a result of updating. Endor Labs also provides quality scores for each dependency. This helps you make informed decisions that minimize future operational risks such as patches not being available, lack of community support, or untrustworthy maintainers.