deps.dev API
Overview
The deps.dev API provides access to Open Source Insights data. It can be used by tool builders, researchers, and tinkerers who want to answer questions like:
- What versions are available for this package?
- What are the licenses that cover this version of a package?
- How many dependencies does this package have? What are they?
- What versions of what packages correspond to this file?
The API can be accessed in two ways: as JSON over HTTP, which is described on this page, as well as via gRPC. For more information about accessing the API via gRPC, please visit github.com/google/deps.dev.
Using the API
You can access the API using any HTTP client. To quickly get started, you can
use the curl
command-line tool.
The methods of the API accept parameters. For methods that use the HTTP GET verb, required parameters are passed as part of the request path, while optional parameters are passed as part of the query string. For methods that use the HTTP POST verb, parameters are passed in the request body as a JSON object.
All path and query parameters must be encoded so that they can be safely
included in a URL, by replacing special characters (e.g. /
) with their
percent-encoded forms (e.g. %2F
). How this is done depends on your
programming language of choice, but as an example, path parameters can be
encoded using encodeURIComponent in JavaScript or url.PathEscape
in Go, while for query parameters you could use URLSearchParams in
JavaScript or url.Values in Go.
For example, to get information about the npm package @colors/colors
(note
that the @
and /
in the package name have been percent-encoded):
curl 'https://api.deps.dev/v3alpha/systems/npm/packages/%40colors%2Fcolors'
Purl parameters
Some methods accept purls, or package URLs, which have their own rules about how components should be encoded. When passing purls as path parameters, clients should first create them using their purl implementation of choice, then percent-encode them in their entirety.
For example, the npm package @colors/colors
has the purl
pkg:npm/%40colors/colors
. To get information about this package:
curl 'https://api.deps.dev/v3alpha/purl/pkg%3Anpm%2F%2540colors%2Fcolors'
Data parameters
Parameters representing data blobs, such as hash values, are passed as base64 strings.
For example, to use the Query API method to look up package versions by file
content hash (note that the /
and =
have been percent-encoded):
curl 'https://api.deps.dev/v3alpha/query?hash.type=SHA1&hash.value=ulXBPXrC%2FUTfnMgHRFVxmjPzdbk%3D'
To compute a base64-encoded hash from a file’s contents suitable for use as a
hash.value
query parameter you can use the openssl
and base64
commands:
openssl sha1 -binary <file> | base64
Batch methods
Batch methods let clients request information on multiple package versions or projects in a single request. These methods use the HTTP POST verb, and parameters are passed as JSON in the request body.
For example, to request information about two package versions in a single request:
curl -d @- 'https://api.deps.dev/v3alpha/versionbatch' <<EOF
{
"requests":[
{"versionKey":{"system":"NPM","name":"@colors/colors","version":"1.5.0"}},
{"versionKey":{"system":"NUGET","name":"castle.core","version":"5.1.1"}}
]
}
EOF
Note: batch methods are limited to a maximum of 5000 requests in a batch. Sending more than 5000 requests will result in a 400 error.
Package names
In general, the API refers to packages by the names used within their ecosystem, including details such as capitalization.
Exceptions:
- Maven names are of the form
<group ID>:<artifact ID>
, for exampleorg.apache.logging.log4j:log4j-core
. - PyPI names are normalized as per PEP 503.
- NuGet names are normalized through lowercasing according to the Package Content API request parameter specification. Versions are normalized according to NuGet 3.4+ rules.
Upstream sources sometimes use multiple, non-identical identifiers to refer to a package and version. These identifiers are served in their pre-normalized form in the upstream identifiers field of the Version message if they were encountered when syncing a package version.
Coverage
In general, the service collects all publicly-available data from each source (for example, it gathers all npm packages hosted by registry.npmjs.org).
Exceptions:
- For Maven packages, in addition to Maven Central, it gathers artifacts from the Jenkins and Google registries.
- For PyPI it only collects packages released as wheels and sdists.
- For Go it only collects modules that have been fetched through proxy.golang.org, and those declared as dependencies by those modules.
- For projects hosted on GitHub, GitLab, and Bitbucket it only gathers projects associated with a package otherwise known to the service.
API reference
GetPackage
GET /v3alpha/systems/{packageKey.system}/packages/{packageKey.name}
GetPackage returns information about a package, including a list of its available versions, with the default version marked if known.
Example: /v3alpha/systems/npm/packages/%40colors%2Fcolors
Path parameters
- packageKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- packageKey.name: string
The name of the package.
Response
- packageKey: object
The name of the package. Note that it may differ from the name in the request, due to canonicalization.
- packageKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- packageKey.name: string
The name of the package.
- purl: string
The purl that identifies this package. Note that the package name may differ from the name in the request, due to canonicalization.
- versions[]: object[]
The available versions of the package.
- versions[].versionKey: object
The name of the version. Note that the package name may differ from the name in the request, due to canonicalization.
- versions[].versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versions[].versionKey.name: string
The name of the package.
- versions[].versionKey.version: string
The version of the package.
- versions[].purl: string
The purl that identifies this version of the package. Note that the package and version name in the purl may differ from the names in the request, due to canonicalization.
- versions[].publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- versions[].isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- versions[].isDeprecated: boolean
If true, this version has been marked as deprecated.
GetVersion
GET /v3alpha/systems/{versionKey.system}/packages/{versionKey.name}/versions/{versionKey.version}
GetVersion returns information about a specific package version, including its licenses and any security advisories known to affect it.
Example: /v3alpha/systems/npm/packages/%40colors%2Fcolors/versions/1.5.0
Path parameters
- versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versionKey.name: string
The name of the package.
- versionKey.version: string
The version of the package.
Response
- versionKey: object
The name of the package version. Note that the package and version name may differ from names specified in requests, if applicable, due to canonicalization.
- versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versionKey.name: string
The name of the package.
- versionKey.version: string
The version of the package.
- purl: string
The purl that identifies this package version. Note that the package and version name in the purl may differ from the names specified in the request, if applicable, due to canonicalization.
- publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- isDeprecated: boolean
If true, this version has been marked as deprecated.
- licenses[]: string[]
The licenses governing the use of this package version.
We identify licenses as SPDX 2.1 expressions. When there is no associated SPDX identifier, we identify a license as “non-standard”. When we are unable to obtain license information, this field is empty. When more than one license is listed, their relationship is unspecified.
For Cargo, Maven, npm, NuGet, and PyPI, license information is read from the package metadata. For Go, license information is determined using the licensecheck package.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- licenseDetails[]: object[]
Detailed information about the licenses governing the use of this package version.
When deps.dev is unable to obtain license information, this field is empty.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- licenseDetails[].license: string
For Cargo, Maven, npm, NuGet, and PyPI, this field holds the license as specified by the package author in the package metadata. For Go, it holds license information as determined using the licensecheck package.
- licenseDetails[].spdx: string
The license mapped to an SPDX 2.1 expression, or “non-standard” if the license cannot be unambiguously mapped to SPDX.
- advisoryKeys[]: object[]
Security advisories known to affect this package version directly. Further information can be requested using the Advisory method.
Note that this field does not include advisories that affect dependencies of this package version.
- advisoryKeys[].id: string
The OSV identifier for the security advisory.
- links[]: object[]
Links declared by or derived from package version metadata, to external web resources such as a homepage or source code repository. Note that these links are not verified for correctness.
- links[].label: string
A label describing the resource that the link points to.
- links[].url: string
The URL of the link.
- slsaProvenances[]: object[]
SLSA provenance information for this package version. Extracted from a SLSA provenance attestation. This is only populated for npm package versions. See the ‘attestations’ field for more attestations (including SLSA provenance) for all systems.
- slsaProvenances[].sourceRepository: string
The source code repository used to build the version.
- slsaProvenances[].commit: string
The commit of the source code repository the version was built from.
- slsaProvenances[].url: string
The URL of the provenance statement if there is one.
- slsaProvenances[].verified: boolean
The Sigstore bundle containing this attestation was verified using the sigstore-go library.
- attestations[]: object[]
Attestations for this package version.
- attestations[].type: string
The type of attestation. One of https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1.
- attestations[].url: string
The URL of the attestation if there is one.
- attestations[].verified: boolean
The attestation has been cryptographically verified by deps.dev. For attestations distributed in a Sigstore bundle, this field indicates the bundle was verified using the sigstore-go library.
- attestations[].sourceRepository: string
Only set if type is https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1. The source code repository used to build the version.
- attestations[].commit: string
The commit of the source code repository the version was built from.
- registries[]: string[]
URLs for the package management registries this package version is available from. Only set for systems that use a central repository for package distribution: Cargo, Maven, npm, NuGet, and PyPI.
- relatedProjects[]: object[]
Projects that are related to this package version.
- relatedProjects[].projectKey: object
The identifier for the project.
- relatedProjects[].projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- relatedProjects[].relationProvenance: string
How the mapping between project and package version was discovered.
Can be one of
SLSA_ATTESTATION
,GO_ORIGIN
,PYPI_PUBLISH_ATTESTATION
,UNVERIFIED_METADATA
.- relatedProjects[].relationType: string
What the relationship between the project and the package version is.
Can be one of
SOURCE_REPO
,ISSUE_TRACKER
.- upstreamIdentifiers[]: object[]
Some upstream identifiers used to refer to this package version.
- upstreamIdentifiers[].packageName: string
The non-normalized package name string.
- upstreamIdentifiers[].versionString: string
The non-normalized version string.
- upstreamIdentifiers[].source: string
The upstream source for this identifier.
GetVersionBatch
POST /v3alpha/versionbatch
GetVersionBatch performs GetVersion requests for a batch of versions. Large result sets may be paginated.
Example:
curl -d @- 'https://api.deps.dev/v3alpha/versionbatch' <<EOF
{
"requests":[
{"versionKey":{"system":"NPM","name":"@colors/colors","version":"1.5.0"}},
{"versionKey":{"system":"NUGET","name":"castle.core","version":"5.1.1"}}
]
}
EOF
Request body
- requests[]: object[]
The batch list of versions to return Version information for. Up to 5000 requests are allowed in a single batch.
- requests[].versionKey: object
- requests[].versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- requests[].versionKey.name: string
The name of the package.
- requests[].versionKey.version: string
The version of the package.
- pageToken: string
If set, request the next page of the result set. It must be set to the page token provided by the previous version batch response. All other request fields must be the same as in the initial request.
Response
- responses[]: object[]
The Version information for this page.
- responses[].request: object
The uncanonicalized request.
- responses[].request.versionKey: object
- responses[].request.versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- responses[].request.versionKey.name: string
The name of the package.
- responses[].request.versionKey.version: string
The version of the package.
- responses[].version: object
The version information for the request. If the version was not found, this field is empty.
- responses[].version.versionKey: object
The name of the package version. Note that the package and version name may differ from names specified in requests, if applicable, due to canonicalization.
- responses[].version.versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- responses[].version.versionKey.name: string
The name of the package.
- responses[].version.versionKey.version: string
The version of the package.
- responses[].version.purl: string
The purl that identifies this package version. Note that the package and version name in the purl may differ from the names specified in the request, if applicable, due to canonicalization.
- responses[].version.publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- responses[].version.isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- responses[].version.isDeprecated: boolean
If true, this version has been marked as deprecated.
- responses[].version.licenses[]: string[]
The licenses governing the use of this package version.
We identify licenses as SPDX 2.1 expressions. When there is no associated SPDX identifier, we identify a license as “non-standard”. When we are unable to obtain license information, this field is empty. When more than one license is listed, their relationship is unspecified.
For Cargo, Maven, npm, NuGet, and PyPI, license information is read from the package metadata. For Go, license information is determined using the licensecheck package.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- responses[].version.licenseDetails[]: object[]
Detailed information about the licenses governing the use of this package version.
When deps.dev is unable to obtain license information, this field is empty.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- responses[].version.licenseDetails[].license: string
For Cargo, Maven, npm, NuGet, and PyPI, this field holds the license as specified by the package author in the package metadata. For Go, it holds license information as determined using the licensecheck package.
- responses[].version.licenseDetails[].spdx: string
The license mapped to an SPDX 2.1 expression, or “non-standard” if the license cannot be unambiguously mapped to SPDX.
- responses[].version.advisoryKeys[]: object[]
Security advisories known to affect this package version directly. Further information can be requested using the Advisory method.
Note that this field does not include advisories that affect dependencies of this package version.
- responses[].version.advisoryKeys[].id: string
The OSV identifier for the security advisory.
- responses[].version.links[]: object[]
Links declared by or derived from package version metadata, to external web resources such as a homepage or source code repository. Note that these links are not verified for correctness.
- responses[].version.links[].label: string
A label describing the resource that the link points to.
- responses[].version.links[].url: string
The URL of the link.
- responses[].version.slsaProvenances[]: object[]
SLSA provenance information for this package version. Extracted from a SLSA provenance attestation. This is only populated for npm package versions. See the ‘attestations’ field for more attestations (including SLSA provenance) for all systems.
- responses[].version.slsaProvenances[].sourceRepository: string
The source code repository used to build the version.
- responses[].version.slsaProvenances[].commit: string
The commit of the source code repository the version was built from.
- responses[].version.slsaProvenances[].url: string
The URL of the provenance statement if there is one.
- responses[].version.slsaProvenances[].verified: boolean
The Sigstore bundle containing this attestation was verified using the sigstore-go library.
- responses[].version.attestations[]: object[]
Attestations for this package version.
- responses[].version.attestations[].type: string
The type of attestation. One of https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1.
- responses[].version.attestations[].url: string
The URL of the attestation if there is one.
- responses[].version.attestations[].verified: boolean
The attestation has been cryptographically verified by deps.dev. For attestations distributed in a Sigstore bundle, this field indicates the bundle was verified using the sigstore-go library.
- responses[].version.attestations[].sourceRepository: string
Only set if type is https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1. The source code repository used to build the version.
- responses[].version.attestations[].commit: string
The commit of the source code repository the version was built from.
- responses[].version.registries[]: string[]
URLs for the package management registries this package version is available from. Only set for systems that use a central repository for package distribution: Cargo, Maven, npm, NuGet, and PyPI.
- responses[].version.relatedProjects[]: object[]
Projects that are related to this package version.
- responses[].version.relatedProjects[].projectKey: object
The identifier for the project.
- responses[].version.relatedProjects[].projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- responses[].version.relatedProjects[].relationProvenance: string
How the mapping between project and package version was discovered.
Can be one of
SLSA_ATTESTATION
,GO_ORIGIN
,PYPI_PUBLISH_ATTESTATION
,UNVERIFIED_METADATA
.- responses[].version.relatedProjects[].relationType: string
What the relationship between the project and the package version is.
Can be one of
SOURCE_REPO
,ISSUE_TRACKER
.- responses[].version.upstreamIdentifiers[]: object[]
Some upstream identifiers used to refer to this package version.
- responses[].version.upstreamIdentifiers[].packageName: string
The non-normalized package name string.
- responses[].version.upstreamIdentifiers[].versionString: string
The non-normalized version string.
- responses[].version.upstreamIdentifiers[].source: string
The upstream source for this identifier.
- nextPageToken: string
If set, this batch is not the full result set. This page token may be used to fetch more results in a subsequent request.
GetRequirements
GET /v3alpha/systems/{versionKey.system}/packages/{versionKey.name}/versions/{versionKey.version}:requirements
GetRequirements returns the requirements for a given version in a system-specific format. Requirements are currently available for Maven, npm and NuGet.
Requirements are the dependency constraints specified by the version.
Example: /v3alpha/systems/nuget/packages/castle.core/versions/5.1.1:requirements
Path parameters
- versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versionKey.name: string
The name of the package.
- versionKey.version: string
The version of the package.
Response
- nuget: object
The NuGet-specific representation of the version’s requirements.
Note that the term “dependency” is used here to mean “a single unresolved requirement” to be consistent with how the term is used in the NuGet ecosystem. This is different to how it is used elsewhere in the deps.dev API.
- nuget.dependencyGroups[]: object[]
The requirements grouped by target framework.
- nuget.dependencyGroups[].targetFramework: string
The target framework that this dependency group is for.
- nuget.dependencyGroups[].dependencies[]: object[]
The requirements belonging to this dependency group.
- nuget.dependencyGroups[].dependencies[].name: string
The name of the package.
- nuget.dependencyGroups[].dependencies[].requirement: string
The requirement on the package.
- npm: object
The npm-specific representation of the version’s requirements.
Note that the term “dependency” is used here to mean “a single unresolved requirement” to be consistent with how the term is used in the npm ecosystem. This is different to how it is used elsewhere in the deps.dev API.
- npm.dependencies: object
The dependency-related fields declared in the requested package version’s package.json.
- npm.dependencies.dependencies[]: object[]
The “dependencies” field of a package.json, represented as a list of name, requirement pairs.
- npm.dependencies.dependencies[].name: string
The name of the package, the key in the original object.
- npm.dependencies.dependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.dependencies.devDependencies[]: object[]
The “devDependencies” field of a package.json. The format is the same as “dependencies”.
- npm.dependencies.devDependencies[].name: string
The name of the package, the key in the original object.
- npm.dependencies.devDependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.dependencies.optionalDependencies[]: object[]
The “optionalDependencies” field of a package.json. The format is the same as “dependencies”.
- npm.dependencies.optionalDependencies[].name: string
The name of the package, the key in the original object.
- npm.dependencies.optionalDependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.dependencies.peerDependencies[]: object[]
The “peerDependencies” field of a package.json. The format is the same as “dependencies”.
- npm.dependencies.peerDependencies[].name: string
The name of the package, the key in the original object.
- npm.dependencies.peerDependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.dependencies.bundleDependencies[]: string[]
The “bundleDependencies” field of a package.json: a list of package names. In the package.json this may also just be the boolean value “true”, in which case this field will contain the names of all the dependencies from the “dependencies” field.
- npm.bundled[]: object[]
Contents of any additional package.json files found inside the “node_modules” folder of the version’s tarball, including nested “node_modules”.
- npm.bundled[].path: string
The path inside the tarball where this dependency was found.
- npm.bundled[].name: string
The name of the bundled package, as declared inside the bundled package.json.
- npm.bundled[].version: string
The version of this package, as declared inside the bundled package.json.
- npm.bundled[].dependencies: object
The dependency-related fields from the bundled package.json.
- npm.bundled[].dependencies.dependencies[]: object[]
The “dependencies” field of a package.json, represented as a list of name, requirement pairs.
- npm.bundled[].dependencies.dependencies[].name: string
The name of the package, the key in the original object.
- npm.bundled[].dependencies.dependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.bundled[].dependencies.devDependencies[]: object[]
The “devDependencies” field of a package.json. The format is the same as “dependencies”.
- npm.bundled[].dependencies.devDependencies[].name: string
The name of the package, the key in the original object.
- npm.bundled[].dependencies.devDependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.bundled[].dependencies.optionalDependencies[]: object[]
The “optionalDependencies” field of a package.json. The format is the same as “dependencies”.
- npm.bundled[].dependencies.optionalDependencies[].name: string
The name of the package, the key in the original object.
- npm.bundled[].dependencies.optionalDependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.bundled[].dependencies.peerDependencies[]: object[]
The “peerDependencies” field of a package.json. The format is the same as “dependencies”.
- npm.bundled[].dependencies.peerDependencies[].name: string
The name of the package, the key in the original object.
- npm.bundled[].dependencies.peerDependencies[].requirement: string
The requirement, the corresponding value from the original object.
- npm.bundled[].dependencies.bundleDependencies[]: string[]
The “bundleDependencies” field of a package.json: a list of package names. In the package.json this may also just be the boolean value “true”, in which case this field will contain the names of all the dependencies from the “dependencies” field.
- maven: object
The Maven-specific representation of the version’s requirements.
Note that the term “dependency” is used here to mean “a single unresolved requirement” to be consistent with how the term is used in the Maven ecosystem. This is different to how it is used elsewhere in the deps.dev API.
This data is as it is declared in a version POM file. The data in parent POMs are not merged. Any string field may contain references to properties, and the properties are not interpolated.
- maven.parent: object
The direct parent of a package version.
- maven.parent.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- maven.parent.name: string
The name of the package.
- maven.parent.version: string
The version of the package.
- maven.dependencies[]: object[]
The list of dependencies.
- maven.dependencies[].name: string
The name of the package.
- maven.dependencies[].version: string
The version requirement of the dependency.
- maven.dependencies[].classifier: string
The classifier of the dependency, which distinguishes artifacts that differ in content.
- maven.dependencies[].type: string
The type of the dependency, defaults to jar.
- maven.dependencies[].scope: string
The scope of the dependency, specifies how to limit the transitivity of a dependency.
- maven.dependencies[].optional: string
Whether the dependency is optional or not.
- maven.dependencies[].exclusions[]: string[]
The dependencies to be excluded, in the form of a list of package names. Exclusions may contain wildcards in both groupID and artifactID.
- maven.dependencyManagement[]: object[]
The list of dependency management. The format is the same as dependencies.
- maven.dependencyManagement[].name: string
The name of the package.
- maven.dependencyManagement[].version: string
The version requirement of the dependency.
- maven.dependencyManagement[].classifier: string
The classifier of the dependency, which distinguishes artifacts that differ in content.
- maven.dependencyManagement[].type: string
The type of the dependency, defaults to jar.
- maven.dependencyManagement[].scope: string
The scope of the dependency, specifies how to limit the transitivity of a dependency.
- maven.dependencyManagement[].optional: string
Whether the dependency is optional or not.
- maven.dependencyManagement[].exclusions[]: string[]
The dependencies to be excluded, in the form of a list of package names. Exclusions may contain wildcards in both groupID and artifactID.
- maven.properties[]: object[]
The list of properties, used to resolve placeholders.
- maven.properties[].name: string
The name of the property.
- maven.properties[].value: string
The value of the property.
- maven.repositories[]: object[]
The list of repositories.
- maven.repositories[].id: string
The ID of the repository.
- maven.repositories[].url: string
The URL of the repository.
- maven.repositories[].layout: string
Whether the description of the repository follows a common layout.
- maven.repositories[].releasesEnabled: string
Whether the repository is enabled for release downloads.
- maven.repositories[].snapshotsEnabled: string
Whether the repository is enabled for snapshot downloads.
- maven.profiles[]: object[]
The list of profiles.
- maven.profiles[].id: string
The ID of the profile.
- maven.profiles[].activation: object
The activation requirement of the profile.
- maven.profiles[].activation.activeByDefault: string
Whether the profile is active by default.
- maven.profiles[].activation.jdk: object
The JDK requirement of the activation.
- maven.profiles[].activation.jdk.jdk: string
The JDK requirement to activate the profile.
- maven.profiles[].activation.os: object
The operating system requirement of the activation.
- maven.profiles[].activation.os.name: string
The name of the operating system.
- maven.profiles[].activation.os.family: string
The family of the operating system.
- maven.profiles[].activation.os.arch: string
The CPU architecture of the operating system,
- maven.profiles[].activation.os.version: string
The version of the operating system.
- maven.profiles[].activation.property: object
The property requirement of the activation.
- maven.profiles[].activation.property.property: object
The property requirement to activate the profile. This can be a system property or CLI user property.
- maven.profiles[].activation.property.property.name: string
The name of the property.
- maven.profiles[].activation.property.property.value: string
The value of the property.
- maven.profiles[].activation.file: object
The file requirement of the activation.
- maven.profiles[].activation.file.exists: string
The name of the file that its existence activates the profile.
- maven.profiles[].activation.file.missing: string
The name of the file, activate the profile if the file is missing.
- maven.profiles[].dependencies[]: object[]
The dependencies specified in the profile.
- maven.profiles[].dependencies[].name: string
The name of the package.
- maven.profiles[].dependencies[].version: string
The version requirement of the dependency.
- maven.profiles[].dependencies[].classifier: string
The classifier of the dependency, which distinguishes artifacts that differ in content.
- maven.profiles[].dependencies[].type: string
The type of the dependency, defaults to jar.
- maven.profiles[].dependencies[].scope: string
The scope of the dependency, specifies how to limit the transitivity of a dependency.
- maven.profiles[].dependencies[].optional: string
Whether the dependency is optional or not.
- maven.profiles[].dependencies[].exclusions[]: string[]
The dependencies to be excluded, in the form of a list of package names. Exclusions may contain wildcards in both groupID and artifactID.
- maven.profiles[].dependencyManagement[]: object[]
The dependency management specified in the profile.
- maven.profiles[].dependencyManagement[].name: string
The name of the package.
- maven.profiles[].dependencyManagement[].version: string
The version requirement of the dependency.
- maven.profiles[].dependencyManagement[].classifier: string
The classifier of the dependency, which distinguishes artifacts that differ in content.
- maven.profiles[].dependencyManagement[].type: string
The type of the dependency, defaults to jar.
- maven.profiles[].dependencyManagement[].scope: string
The scope of the dependency, specifies how to limit the transitivity of a dependency.
- maven.profiles[].dependencyManagement[].optional: string
Whether the dependency is optional or not.
- maven.profiles[].dependencyManagement[].exclusions[]: string[]
The dependencies to be excluded, in the form of a list of package names. Exclusions may contain wildcards in both groupID and artifactID.
- maven.profiles[].properties[]: object[]
The properties specified in the profile.
- maven.profiles[].properties[].name: string
The name of the property.
- maven.profiles[].properties[].value: string
The value of the property.
- maven.profiles[].repositories[]: object[]
The repositories specified in the profile.
- maven.profiles[].repositories[].id: string
The ID of the repository.
- maven.profiles[].repositories[].url: string
The URL of the repository.
- maven.profiles[].repositories[].layout: string
Whether the description of the repository follows a common layout.
- maven.profiles[].repositories[].releasesEnabled: string
Whether the repository is enabled for release downloads.
- maven.profiles[].repositories[].snapshotsEnabled: string
Whether the repository is enabled for snapshot downloads.
GetDependencies
GET /v3alpha/systems/{versionKey.system}/packages/{versionKey.name}/versions/{versionKey.version}:dependencies
GetDependencies returns a resolved dependency graph for the given package version. Dependencies are currently available for Go, npm, Cargo, Maven and PyPI.
Dependencies are the resolution of the requirements (dependency constraints) specified by a version.
The dependency graph should be similar to one produced by installing the package version on a generic 64-bit Linux system, with no other dependencies present. The precise meaning of this varies from system to system.
Example: /v3alpha/systems/npm/packages/react/versions/18.2.0:dependencies
Path parameters
- versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versionKey.name: string
The name of the package.
- versionKey.version: string
The version of the package.
Response
- nodes[]: object[]
The nodes of the dependency graph. The first node is the root of the graph.
- nodes[].versionKey: object
The package version represented by this node. Note that the package and version name may differ from the names in the request, if provided, due to canonicalization.
In some systems, a graph may contain multiple nodes for the same package version.
- nodes[].versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- nodes[].versionKey.name: string
The name of the package.
- nodes[].versionKey.version: string
The version of the package.
- nodes[].bundled: boolean
If true, this is a bundled dependency.
For bundled dependencies, the package name in the version key encodes how the dependency is bundled. As an example, a bundled dependency with a name like “a>1.2.3>b>c” is part of the dependency graph of package “a” at version “1.2.3”, and has the local name “c”. It may or may not be the same as a package with the global name “c”.
- nodes[].relation: string
Whether this node represents a direct or indirect dependency within this dependency graph. Note that it’s possible for a dependency to be both direct and indirect; if so, it is marked as direct.
Can be one of
SELF
,DIRECT
,INDIRECT
.- nodes[].errors[]: string[]
Errors associated with this node of the graph, such as an unresolved dependency requirement. An error on a node may imply the graph as a whole is incorrect. These error messages have no defined format and are intended for human consumption.
- edges[]: object[]
The edges of the dependency graph.
- edges[].fromNode: number
The node declaring the dependency, specified as an index into the list of nodes.
- edges[].toNode: number
The node resolving the dependency, specified as an index into the list of nodes.
- edges[].requirement: string
The requirement resolved by this edge, as declared by the “from” node. The meaning of this field is system-specific. As an example, in npm, the requirement “^1.0.0” may be resolved by the version “1.2.3”.
- error: string
Any error associated with the dependency graph that is not specific to a node. An error here may imply the graph as a whole is incorrect. This error message has no defined format and is intended for human consumption.
GetDependents
GET /v3alpha/systems/{versionKey.system}/packages/{versionKey.name}/versions/{versionKey.version}:dependents
GetDependents returns information about the number of distinct packages known to depend on the given package version. Dependent counts are currently available for Go, npm, Cargo, Maven and PyPI.
Dependent counts are derived from the dependency graphs computed by deps.dev, which means that only public dependents are counted. As such, dependent counts should be treated as indicative of relative popularity rather than precisely accurate.
Path parameters
- versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versionKey.name: string
The name of the package.
- versionKey.version: string
The version of the package.
Response
- dependentCount: number
The number of packages known to depend on this package version, either directly or indirectly. Note that this may be less than the sum of the direct and indirect dependent counts.
- directDependentCount: number
The number of packages known to depend directly on this package version.
- indirectDependentCount: number
The number of packages known to depend indirectly on this package version.
GetCapabilities
GET /v3alpha/systems/{versionKey.system}/packages/{versionKey.name}/versions/{versionKey.version}:capabilities
GetCapabilityRequest returns counts for direct and indirect calls to Capslock capabilities for a given package version. Currently only available for Go.
Path parameters
- versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versionKey.name: string
The name of the package.
- versionKey.version: string
The version of the package.
Response
- capabilities[]: object[]
The Capslock capabilities associated with a package, along with the number of direct and indirect callpaths to this capability.
- capabilities[].capability: string
A Capslock capability, indicating that the packages uses this capability.
- capabilities[].directCount: number
The number of calls from this package directly to this capability.
- capabilities[].indirectCount: number
The number of calls from this package to the capability via another package.
GetProject
GET /v3alpha/projects/{projectKey.id}
GetProject returns information about projects hosted by GitHub, GitLab, or BitBucket, when known to us.
Example: /v3alpha/projects/github.com%2Ffacebook%2Freact
Path parameters
- projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.
Response
- projectKey: object
The identifier for the project. Note that this may differ from the identifier in the request, due to canonicalization.
- projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- openIssuesCount: number
The number of open issues reported by the project host. Only available for GitHub and GitLab.
- starsCount: number
The number of stars reported by the project host. Only available for GitHub and GitLab.
- forksCount: number
The number of forks reported by the project host. Only available for GitHub and GitLab.
- license: string
The license reported by the project host.
- description: string
The description reported by the project host.
- homepage: string
The homepage reported by the project host.
- scorecard: object
An OpenSSF Scorecard for the project, if one is available.
- scorecard.date: string
The date at which the scorecard was produced. The time portion of this field is midnight UTC.
- scorecard.repository: object
The source code repository and commit the scorecard was produced from.
- scorecard.repository.name: string
The source code repository the scorecard was produced from.
- scorecard.repository.commit: string
The source code commit the scorecard was produced from.
- scorecard.scorecard: object
The version and commit of the Scorecard program used to produce the scorecard.
- scorecard.scorecard.version: string
The version of the Scorecard program used to produce the scorecard.
- scorecard.scorecard.commit: string
The commit of the Scorecard program used to produce the scorecard.
- scorecard.checks[]: object[]
The results of the Scorecard Checks performed on the project.
- scorecard.checks[].name: string
The name of the check.
- scorecard.checks[].documentation: object
Human-readable documentation for the check.
- scorecard.checks[].documentation.shortDescription: string
A short description of the check.
- scorecard.checks[].documentation.url: string
A link to more details about the check.
- scorecard.checks[].score: number
A score in the range [0,10]. A higher score is better. A negative score indicates that the check did not run successfully.
- scorecard.checks[].reason: string
The reason for the score.
- scorecard.checks[].details[]: string[]
Further details regarding the check.
- scorecard.overallScore: number
A weighted average score in the range [0,10]. A higher score is better.
- scorecard.metadata[]: string[]
Additional metadata associated with the scorecard.
- ossFuzz: object
Details of this project’s testing by the OSS-Fuzz service. Only set if the project is tested by OSS-Fuzz.
- ossFuzz.lineCount: number
The total number of lines of code in the project.
- ossFuzz.lineCoverCount: number
The number of lines of code covered by fuzzing.
- ossFuzz.date: string
The date the fuzz test that produced the coverage information was run against this project. The time portion of this field is midnight UTC.
- ossFuzz.configUrl: string
The URL containing the configuration for the project in the OSS-Fuzz repository.
GetProjectBatch
POST /v3alpha/projectbatch
GetProjectBatch performs GetProjectBatch requests for a batch of projects. Large result sets may be paginated.
Example:
curl -d @- 'https://api.deps.dev/v3alpha/projectbatch' <<EOF
{
"requests":[
{"projectKey":{"id":"github.com/facebook/react"}},
{"projectKey":{"id":"github.com/angular/angular"}}
]
}
EOF
Request body
- requests[]: object[]
The batch list of projects to return Project information for. Up to 5000 requests are allowed in a single batch.
- requests[].projectKey: object
- requests[].projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- pageToken: string
If set, request the next page of the result set. It must be set to the page token provided by the previous project batch response. All other request fields must be the same as in the initial request.
Response
- responses[]: object[]
The Project information for this page.
- responses[].request: object
The uncanonicalized request.
- responses[].request.projectKey: object
- responses[].request.projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- responses[].project: object
The project information for the request. If the project was not found, this field is empty.
- responses[].project.projectKey: object
The identifier for the project. Note that this may differ from the identifier in the request, due to canonicalization.
- responses[].project.projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- responses[].project.openIssuesCount: number
The number of open issues reported by the project host. Only available for GitHub and GitLab.
- responses[].project.starsCount: number
The number of stars reported by the project host. Only available for GitHub and GitLab.
- responses[].project.forksCount: number
The number of forks reported by the project host. Only available for GitHub and GitLab.
- responses[].project.license: string
The license reported by the project host.
- responses[].project.description: string
The description reported by the project host.
- responses[].project.homepage: string
The homepage reported by the project host.
- responses[].project.scorecard: object
An OpenSSF Scorecard for the project, if one is available.
- responses[].project.scorecard.date: string
The date at which the scorecard was produced. The time portion of this field is midnight UTC.
- responses[].project.scorecard.repository: object
The source code repository and commit the scorecard was produced from.
- responses[].project.scorecard.repository.name: string
The source code repository the scorecard was produced from.
- responses[].project.scorecard.repository.commit: string
The source code commit the scorecard was produced from.
- responses[].project.scorecard.scorecard: object
The version and commit of the Scorecard program used to produce the scorecard.
- responses[].project.scorecard.scorecard.version: string
The version of the Scorecard program used to produce the scorecard.
- responses[].project.scorecard.scorecard.commit: string
The commit of the Scorecard program used to produce the scorecard.
- responses[].project.scorecard.checks[]: object[]
The results of the Scorecard Checks performed on the project.
- responses[].project.scorecard.checks[].name: string
The name of the check.
- responses[].project.scorecard.checks[].documentation: object
Human-readable documentation for the check.
- responses[].project.scorecard.checks[].documentation.shortDescription: string
A short description of the check.
- responses[].project.scorecard.checks[].documentation.url: string
A link to more details about the check.
- responses[].project.scorecard.checks[].score: number
A score in the range [0,10]. A higher score is better. A negative score indicates that the check did not run successfully.
- responses[].project.scorecard.checks[].reason: string
The reason for the score.
- responses[].project.scorecard.checks[].details[]: string[]
Further details regarding the check.
- responses[].project.scorecard.overallScore: number
A weighted average score in the range [0,10]. A higher score is better.
- responses[].project.scorecard.metadata[]: string[]
Additional metadata associated with the scorecard.
- responses[].project.ossFuzz: object
Details of this project’s testing by the OSS-Fuzz service. Only set if the project is tested by OSS-Fuzz.
- responses[].project.ossFuzz.lineCount: number
The total number of lines of code in the project.
- responses[].project.ossFuzz.lineCoverCount: number
The number of lines of code covered by fuzzing.
- responses[].project.ossFuzz.date: string
The date the fuzz test that produced the coverage information was run against this project. The time portion of this field is midnight UTC.
- responses[].project.ossFuzz.configUrl: string
The URL containing the configuration for the project in the OSS-Fuzz repository.
- nextPageToken: string
If set, this batch is not the full result set. This page token may be used to fetch more results in a subsequent request.
GetProjectPackageVersions
GET /v3alpha/projects/{projectKey.id}:packageversions
GetProjectPackageVersions returns known mappings between the requested project and package versions. At most 1500 package versions are returned. Mappings which were derived from attestations are served first.
Example: /v3alpha/projects/github.com%2Ffacebook%2Freact:packageversions
Path parameters
- projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.
Response
- versions[]: object[]
The versions that were built from the source code contained in this project.
- versions[].versionKey: object
The identifier for the version.
- versions[].versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versions[].versionKey.name: string
The name of the package.
- versions[].versionKey.version: string
The version of the package.
- versions[].relationType: string
What the relationship between the project and the package version is.
Can be one of
SOURCE_REPO
,ISSUE_TRACKER
.- versions[].relationProvenance: string
How the mapping between project and package version was discovered.
Can be one of
SLSA_ATTESTATION
,GO_ORIGIN
,PYPI_PUBLISH_ATTESTATION
,UNVERIFIED_METADATA
.- versions[].slsaProvenances[]: object[]
The SLSA provenance statements that link the version to the project. This is only populated for npm package versions. See the ‘attestations’ field for more attestations (including SLSA provenance) for all systems.
- versions[].slsaProvenances[].sourceRepository: string
The source code repository used to build the version.
- versions[].slsaProvenances[].commit: string
The commit of the source code repository the version was built from.
- versions[].slsaProvenances[].url: string
The URL of the provenance statement if there is one.
- versions[].slsaProvenances[].verified: boolean
The Sigstore bundle containing this attestation was verified using the sigstore-go library.
- versions[].attestations[]: object[]
Attestations that link the version to the project.
- versions[].attestations[].type: string
The type of attestation. One of https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1.
- versions[].attestations[].url: string
The URL of the attestation if there is one.
- versions[].attestations[].verified: boolean
The attestation has been cryptographically verified by deps.dev. For attestations distributed in a Sigstore bundle, this field indicates the bundle was verified using the sigstore-go library.
- versions[].attestations[].sourceRepository: string
Only set if type is https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1. The source code repository used to build the version.
- versions[].attestations[].commit: string
The commit of the source code repository the version was built from.
GetAdvisory
GET /v3alpha/advisories/{advisoryKey.id}
GetAdvisory returns information about security advisories hosted by OSV.
Example: /v3alpha/advisories/GHSA-2qrg-x229-3v8q
Path parameters
- advisoryKey.id: string
The OSV identifier for the security advisory.
Response
- advisoryKey: object
The identifier for the security advisory. Note that this may differ from the identifier in the request, due to canonicalization.
- advisoryKey.id: string
The OSV identifier for the security advisory.
- url: string
The URL of the security advisory.
- title: string
A brief human-readable description.
- aliases[]: string[]
Other identifiers used for the advisory, including CVEs.
- cvss3Score: number
The severity of the advisory as a CVSS v3 score in the range [0,10]. A higher score represents greater severity.
- cvss3Vector: string
The severity of the advisory as a CVSS v3 vector string.
GetSimilarlyNamedPackages
GET /v3alpha/systems/{packageKey.system}/packages/{packageKey.name}:similarlyNamedPackages
GetSimilarlyNamedPackages returns packages with names that are similar to the requested package. This similarity relation is computed by deps.dev.
Example: /v3alpha/systems/npm/packages/jost:similarlyNamedPackages
Path parameters
- packageKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- packageKey.name: string
The name of the package.
Response
- packageKey: object
The name of the package. Note that the package name may differ from the name in the request, due to canonicalization.
- packageKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- packageKey.name: string
The name of the package.
- packages[]: object[]
Packages with names that deps.dev has calculated are similar to the name of the requested package. Note that this is not necessarily a symmetric relation, as we take into account popularity when calculating similar names.
- packages[].packageKey: object
A package with a name similar to the requested package.
- packages[].packageKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- packages[].packageKey.name: string
The name of the package.
Query
GET /v3alpha/query
Query returns information about multiple package versions, which can be specified by name, content hash, or both. If a hash was specified in the request, it returns the artifacts that matched the hash.
Querying by content hash is currently supported for npm, Cargo, Maven, and NuGet. It is typical for hash queries to return many results; hashes are matched against multiple release artifacts (such as JAR files) that comprise package versions, and any given artifact may appear in several package versions.
Examples:
/v3alpha/query?hash.type=SHA1&hash.value=ulXBPXrC%2FUTfnMgHRFVxmjPzdbk%3D
/v3alpha/query?versionKey.system=NPM&versionKey.name=react&versionKey.version=18.2.0
Query parameters
- hash.type: string
The function used to produce this hash.
Can be one of
MD5
,SHA1
,SHA256
,SHA512
.- hash.value: string
A hash value.
- versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- versionKey.name: string
The name of the package.
- versionKey.version: string
The version of the package.
Response
- results[]: object[]
Package versions matching the query. At most 1000 versions are returned.
- results[].version: object
A package version matching the query.
- results[].version.versionKey: object
The name of the package version. Note that the package and version name may differ from names specified in requests, if applicable, due to canonicalization.
- results[].version.versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- results[].version.versionKey.name: string
The name of the package.
- results[].version.versionKey.version: string
The version of the package.
- results[].version.purl: string
The purl that identifies this package version. Note that the package and version name in the purl may differ from the names specified in the request, if applicable, due to canonicalization.
- results[].version.publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- results[].version.isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- results[].version.isDeprecated: boolean
If true, this version has been marked as deprecated.
- results[].version.licenses[]: string[]
The licenses governing the use of this package version.
We identify licenses as SPDX 2.1 expressions. When there is no associated SPDX identifier, we identify a license as “non-standard”. When we are unable to obtain license information, this field is empty. When more than one license is listed, their relationship is unspecified.
For Cargo, Maven, npm, NuGet, and PyPI, license information is read from the package metadata. For Go, license information is determined using the licensecheck package.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- results[].version.licenseDetails[]: object[]
Detailed information about the licenses governing the use of this package version.
When deps.dev is unable to obtain license information, this field is empty.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- results[].version.licenseDetails[].license: string
For Cargo, Maven, npm, NuGet, and PyPI, this field holds the license as specified by the package author in the package metadata. For Go, it holds license information as determined using the licensecheck package.
- results[].version.licenseDetails[].spdx: string
The license mapped to an SPDX 2.1 expression, or “non-standard” if the license cannot be unambiguously mapped to SPDX.
- results[].version.advisoryKeys[]: object[]
Security advisories known to affect this package version directly. Further information can be requested using the Advisory method.
Note that this field does not include advisories that affect dependencies of this package version.
- results[].version.advisoryKeys[].id: string
The OSV identifier for the security advisory.
- results[].version.links[]: object[]
Links declared by or derived from package version metadata, to external web resources such as a homepage or source code repository. Note that these links are not verified for correctness.
- results[].version.links[].label: string
A label describing the resource that the link points to.
- results[].version.links[].url: string
The URL of the link.
- results[].version.slsaProvenances[]: object[]
SLSA provenance information for this package version. Extracted from a SLSA provenance attestation. This is only populated for npm package versions. See the ‘attestations’ field for more attestations (including SLSA provenance) for all systems.
- results[].version.slsaProvenances[].sourceRepository: string
The source code repository used to build the version.
- results[].version.slsaProvenances[].commit: string
The commit of the source code repository the version was built from.
- results[].version.slsaProvenances[].url: string
The URL of the provenance statement if there is one.
- results[].version.slsaProvenances[].verified: boolean
The Sigstore bundle containing this attestation was verified using the sigstore-go library.
- results[].version.attestations[]: object[]
Attestations for this package version.
- results[].version.attestations[].type: string
The type of attestation. One of https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1.
- results[].version.attestations[].url: string
The URL of the attestation if there is one.
- results[].version.attestations[].verified: boolean
The attestation has been cryptographically verified by deps.dev. For attestations distributed in a Sigstore bundle, this field indicates the bundle was verified using the sigstore-go library.
- results[].version.attestations[].sourceRepository: string
Only set if type is https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1. The source code repository used to build the version.
- results[].version.attestations[].commit: string
The commit of the source code repository the version was built from.
- results[].version.registries[]: string[]
URLs for the package management registries this package version is available from. Only set for systems that use a central repository for package distribution: Cargo, Maven, npm, NuGet, and PyPI.
- results[].version.relatedProjects[]: object[]
Projects that are related to this package version.
- results[].version.relatedProjects[].projectKey: object
The identifier for the project.
- results[].version.relatedProjects[].projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- results[].version.relatedProjects[].relationProvenance: string
How the mapping between project and package version was discovered.
Can be one of
SLSA_ATTESTATION
,GO_ORIGIN
,PYPI_PUBLISH_ATTESTATION
,UNVERIFIED_METADATA
.- results[].version.relatedProjects[].relationType: string
What the relationship between the project and the package version is.
Can be one of
SOURCE_REPO
,ISSUE_TRACKER
.- results[].version.upstreamIdentifiers[]: object[]
Some upstream identifiers used to refer to this package version.
- results[].version.upstreamIdentifiers[].packageName: string
The non-normalized package name string.
- results[].version.upstreamIdentifiers[].versionString: string
The non-normalized version string.
- results[].version.upstreamIdentifiers[].source: string
The upstream source for this identifier.
- results[].artifacts[]: object[]
If a hash was specified in the request, artifacts describes the upstream artifacts matching the hash.
- results[].artifacts[].url: string
The origin of the artifact with this hash.
PurlLookup
GET /v3alpha/purl/{purl}
PurlLookup searches for a package or package version specified via purl, and returns the corresponding result from GetPackage or GetVersion as appropriate.
For a package lookup, the purl should be in the form
pkg:type/namespace/name
for a namespaced package name, or
pkg:type/name
for a non-namespaced package name.
For a package version lookup, the purl should be in the form
pkg:type/namespace/name@version
, or
pkg:type/name@version
.
Extra fields in the purl must be empty, otherwise the request will fail. In particular, there must be no subpath or qualifiers.
Supported values for type
are cargo
, golang
, maven
, npm
, nuget
and pypi
. Further details on types, and how to form purls of each type,
can be found in the
purl spec.
Special characters in purls must be percent-encoded. This is described in detail by the purl spec.
Examples:
/v3alpha/purl/pkg%3Anpm%2F%2540colors%2Fcolors
/v3alpha/purl/pkg%3Anpm%2F%2540colors%2Fcolors%401.5.0
Path parameters
- purl: string
The purl to search for.
Response
- package: object
Package result (as from GetPackage) for purls that do not include a version.
- package.packageKey: object
The name of the package. Note that it may differ from the name in the request, due to canonicalization.
- package.packageKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- package.packageKey.name: string
The name of the package.
- package.purl: string
The purl that identifies this package. Note that the package name may differ from the name in the request, due to canonicalization.
- package.versions[]: object[]
The available versions of the package.
- package.versions[].versionKey: object
The name of the version. Note that the package name may differ from the name in the request, due to canonicalization.
- package.versions[].versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- package.versions[].versionKey.name: string
The name of the package.
- package.versions[].versionKey.version: string
The version of the package.
- package.versions[].purl: string
The purl that identifies this version of the package. Note that the package and version name in the purl may differ from the names in the request, due to canonicalization.
- package.versions[].publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- package.versions[].isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- package.versions[].isDeprecated: boolean
If true, this version has been marked as deprecated.
- version: object
Version result (as from GetVersion), for purls that include a version.
- version.versionKey: object
The name of the package version. Note that the package and version name may differ from names specified in requests, if applicable, due to canonicalization.
- version.versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- version.versionKey.name: string
The name of the package.
- version.versionKey.version: string
The version of the package.
- version.purl: string
The purl that identifies this package version. Note that the package and version name in the purl may differ from the names specified in the request, if applicable, due to canonicalization.
- version.publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- version.isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- version.isDeprecated: boolean
If true, this version has been marked as deprecated.
- version.licenses[]: string[]
The licenses governing the use of this package version.
We identify licenses as SPDX 2.1 expressions. When there is no associated SPDX identifier, we identify a license as “non-standard”. When we are unable to obtain license information, this field is empty. When more than one license is listed, their relationship is unspecified.
For Cargo, Maven, npm, NuGet, and PyPI, license information is read from the package metadata. For Go, license information is determined using the licensecheck package.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- version.licenseDetails[]: object[]
Detailed information about the licenses governing the use of this package version.
When deps.dev is unable to obtain license information, this field is empty.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- version.licenseDetails[].license: string
For Cargo, Maven, npm, NuGet, and PyPI, this field holds the license as specified by the package author in the package metadata. For Go, it holds license information as determined using the licensecheck package.
- version.licenseDetails[].spdx: string
The license mapped to an SPDX 2.1 expression, or “non-standard” if the license cannot be unambiguously mapped to SPDX.
- version.advisoryKeys[]: object[]
Security advisories known to affect this package version directly. Further information can be requested using the Advisory method.
Note that this field does not include advisories that affect dependencies of this package version.
- version.advisoryKeys[].id: string
The OSV identifier for the security advisory.
- version.links[]: object[]
Links declared by or derived from package version metadata, to external web resources such as a homepage or source code repository. Note that these links are not verified for correctness.
- version.links[].label: string
A label describing the resource that the link points to.
- version.links[].url: string
The URL of the link.
- version.slsaProvenances[]: object[]
SLSA provenance information for this package version. Extracted from a SLSA provenance attestation. This is only populated for npm package versions. See the ‘attestations’ field for more attestations (including SLSA provenance) for all systems.
- version.slsaProvenances[].sourceRepository: string
The source code repository used to build the version.
- version.slsaProvenances[].commit: string
The commit of the source code repository the version was built from.
- version.slsaProvenances[].url: string
The URL of the provenance statement if there is one.
- version.slsaProvenances[].verified: boolean
The Sigstore bundle containing this attestation was verified using the sigstore-go library.
- version.attestations[]: object[]
Attestations for this package version.
- version.attestations[].type: string
The type of attestation. One of https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1.
- version.attestations[].url: string
The URL of the attestation if there is one.
- version.attestations[].verified: boolean
The attestation has been cryptographically verified by deps.dev. For attestations distributed in a Sigstore bundle, this field indicates the bundle was verified using the sigstore-go library.
- version.attestations[].sourceRepository: string
Only set if type is https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1. The source code repository used to build the version.
- version.attestations[].commit: string
The commit of the source code repository the version was built from.
- version.registries[]: string[]
URLs for the package management registries this package version is available from. Only set for systems that use a central repository for package distribution: Cargo, Maven, npm, NuGet, and PyPI.
- version.relatedProjects[]: object[]
Projects that are related to this package version.
- version.relatedProjects[].projectKey: object
The identifier for the project.
- version.relatedProjects[].projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- version.relatedProjects[].relationProvenance: string
How the mapping between project and package version was discovered.
Can be one of
SLSA_ATTESTATION
,GO_ORIGIN
,PYPI_PUBLISH_ATTESTATION
,UNVERIFIED_METADATA
.- version.relatedProjects[].relationType: string
What the relationship between the project and the package version is.
Can be one of
SOURCE_REPO
,ISSUE_TRACKER
.- version.upstreamIdentifiers[]: object[]
Some upstream identifiers used to refer to this package version.
- version.upstreamIdentifiers[].packageName: string
The non-normalized package name string.
- version.upstreamIdentifiers[].versionString: string
The non-normalized version string.
- version.upstreamIdentifiers[].source: string
The upstream source for this identifier.
PurlLookupBatch
POST /v3alpha/purlbatch
PurlLookupBatch performs PurlLookup requests for a batch of purls. This endpoint only supports version lookups. Purls in requests must include a version field.
Supported purl forms are
pkg:type/namespace/name@version
for a namespaced package name, or
pkg:type/name@version
for a non-namespaced package name.
Extra fields in the purl must be empty, otherwise the request will fail. In particular, there must be no subpath or qualifiers.
Large result sets may be paginated.
Example:
curl -d @- 'https://api.deps.dev/v3alpha/purlbatch' <<EOF
{
"requests":[
{"purl":"pkg:npm/%40colors/colors@1.5.0"},
{"purl":"pkg:nuget/castle.core@5.1.1"}
]
}
EOF
Request body
- requests[]: object[]
The batch list of purls to search for. Up to 5000 requests are allowed in a single batch.
- requests[].purl: string
The purl to search for.
- pageToken: string
If set, request the next page of the result set. It must be set to the page token provided by the previous purl lookup batch response. All other request fields must be the same as in the initial request.
Response
- responses[]: object[]
The purl lookup results for this page.
- responses[].request: object
The uncanonicalized request.
- responses[].request.purl: string
The purl to search for.
- responses[].result: object
The result corresponding to the request. If no result was found for the request, this field is empty.
- responses[].result.package: object
Package result (as from GetPackage) for purls that do not include a version.
- responses[].result.package.packageKey: object
The name of the package. Note that it may differ from the name in the request, due to canonicalization.
- responses[].result.package.packageKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- responses[].result.package.packageKey.name: string
The name of the package.
- responses[].result.package.purl: string
The purl that identifies this package. Note that the package name may differ from the name in the request, due to canonicalization.
- responses[].result.package.versions[]: object[]
The available versions of the package.
- responses[].result.package.versions[].versionKey: object
The name of the version. Note that the package name may differ from the name in the request, due to canonicalization.
- responses[].result.package.versions[].versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- responses[].result.package.versions[].versionKey.name: string
The name of the package.
- responses[].result.package.versions[].versionKey.version: string
The version of the package.
- responses[].result.package.versions[].purl: string
The purl that identifies this version of the package. Note that the package and version name in the purl may differ from the names in the request, due to canonicalization.
- responses[].result.package.versions[].publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- responses[].result.package.versions[].isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- responses[].result.package.versions[].isDeprecated: boolean
If true, this version has been marked as deprecated.
- responses[].result.version: object
Version result (as from GetVersion), for purls that include a version.
- responses[].result.version.versionKey: object
The name of the package version. Note that the package and version name may differ from names specified in requests, if applicable, due to canonicalization.
- responses[].result.version.versionKey.system: string
The package management system containing the package.
Can be one of
GO
,NPM
,CARGO
,MAVEN
,PYPI
,NUGET
.- responses[].result.version.versionKey.name: string
The name of the package.
- responses[].result.version.versionKey.version: string
The version of the package.
- responses[].result.version.purl: string
The purl that identifies this package version. Note that the package and version name in the purl may differ from the names specified in the request, if applicable, due to canonicalization.
- responses[].result.version.publishedAt: string
The time when this package version was published, if available, as reported by the package management authority.
- responses[].result.version.isDefault: boolean
If true, this is the default version of the package: the version that is installed when no version is specified. The precise meaning of this is system-specific, but it is commonly the version with the greatest version number, ignoring pre-release versions.
- responses[].result.version.isDeprecated: boolean
If true, this version has been marked as deprecated.
- responses[].result.version.licenses[]: string[]
The licenses governing the use of this package version.
We identify licenses as SPDX 2.1 expressions. When there is no associated SPDX identifier, we identify a license as “non-standard”. When we are unable to obtain license information, this field is empty. When more than one license is listed, their relationship is unspecified.
For Cargo, Maven, npm, NuGet, and PyPI, license information is read from the package metadata. For Go, license information is determined using the licensecheck package.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- responses[].result.version.licenseDetails[]: object[]
Detailed information about the licenses governing the use of this package version.
When deps.dev is unable to obtain license information, this field is empty.
License information is not intended to be legal advice, and you should independently verify the license or terms of any software for your own needs.
- responses[].result.version.licenseDetails[].license: string
For Cargo, Maven, npm, NuGet, and PyPI, this field holds the license as specified by the package author in the package metadata. For Go, it holds license information as determined using the licensecheck package.
- responses[].result.version.licenseDetails[].spdx: string
The license mapped to an SPDX 2.1 expression, or “non-standard” if the license cannot be unambiguously mapped to SPDX.
- responses[].result.version.advisoryKeys[]: object[]
Security advisories known to affect this package version directly. Further information can be requested using the Advisory method.
Note that this field does not include advisories that affect dependencies of this package version.
- responses[].result.version.advisoryKeys[].id: string
The OSV identifier for the security advisory.
- responses[].result.version.links[]: object[]
Links declared by or derived from package version metadata, to external web resources such as a homepage or source code repository. Note that these links are not verified for correctness.
- responses[].result.version.links[].label: string
A label describing the resource that the link points to.
- responses[].result.version.links[].url: string
The URL of the link.
- responses[].result.version.slsaProvenances[]: object[]
SLSA provenance information for this package version. Extracted from a SLSA provenance attestation. This is only populated for npm package versions. See the ‘attestations’ field for more attestations (including SLSA provenance) for all systems.
- responses[].result.version.slsaProvenances[].sourceRepository: string
The source code repository used to build the version.
- responses[].result.version.slsaProvenances[].commit: string
The commit of the source code repository the version was built from.
- responses[].result.version.slsaProvenances[].url: string
The URL of the provenance statement if there is one.
- responses[].result.version.slsaProvenances[].verified: boolean
The Sigstore bundle containing this attestation was verified using the sigstore-go library.
- responses[].result.version.attestations[]: object[]
Attestations for this package version.
- responses[].result.version.attestations[].type: string
The type of attestation. One of https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1.
- responses[].result.version.attestations[].url: string
The URL of the attestation if there is one.
- responses[].result.version.attestations[].verified: boolean
The attestation has been cryptographically verified by deps.dev. For attestations distributed in a Sigstore bundle, this field indicates the bundle was verified using the sigstore-go library.
- responses[].result.version.attestations[].sourceRepository: string
Only set if type is https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1, https://docs.pypi.org/attestations/publish/v1. The source code repository used to build the version.
- responses[].result.version.attestations[].commit: string
The commit of the source code repository the version was built from.
- responses[].result.version.registries[]: string[]
URLs for the package management registries this package version is available from. Only set for systems that use a central repository for package distribution: Cargo, Maven, npm, NuGet, and PyPI.
- responses[].result.version.relatedProjects[]: object[]
Projects that are related to this package version.
- responses[].result.version.relatedProjects[].projectKey: object
The identifier for the project.
- responses[].result.version.relatedProjects[].projectKey.id: string
A project identifier of the form
github.com/user/repo
,gitlab.com/user/repo
, orbitbucket.org/user/repo
.- responses[].result.version.relatedProjects[].relationProvenance: string
How the mapping between project and package version was discovered.
Can be one of
SLSA_ATTESTATION
,GO_ORIGIN
,PYPI_PUBLISH_ATTESTATION
,UNVERIFIED_METADATA
.- responses[].result.version.relatedProjects[].relationType: string
What the relationship between the project and the package version is.
Can be one of
SOURCE_REPO
,ISSUE_TRACKER
.- responses[].result.version.upstreamIdentifiers[]: object[]
Some upstream identifiers used to refer to this package version.
- responses[].result.version.upstreamIdentifiers[].packageName: string
The non-normalized package name string.
- responses[].result.version.upstreamIdentifiers[].versionString: string
The non-normalized version string.
- responses[].result.version.upstreamIdentifiers[].source: string
The upstream source for this identifier.
- nextPageToken: string
If set, this batch is not the full result set. This page token may be used to fetch more results in a subsequent request.
Data
deps.dev aggregates data from a number of sources:
- Package data (including package and version names, descriptions, dependency requirements, etc)
- Project data (including project names, descriptions, forks and stars, etc)
- Security advisories
- Associated data
For details on using the data from these sources, please consult their documentation.
As well as aggregating data, deps.dev generates additional data, including resolved dependencies, advisory statistics, associations between entities, etc. This generated data is available under a CC-BY 4.0 license.
Terms
Use of the deps.dev API is subject to the Google API Terms of Service.
Clients are expressly permitted to cache data served by the API.
Contact us
If you have questions about the API, or want to report a problem, please create an issue or contact us at depsdev@google.com.