Security and provenance for an open-source package, composed live from three authoritative sources in one call. Pass ecosystem (npm, pypi, go, maven, cargo, nuget) + name (+ optional version; defaults to latest). Returns: known vulnerabilities from OSV (osv.dev — aggregates GitHub Security Advisories, PyPA, RustSec, Go vuln DB, etc.) each with its id, CVE aliases, summary, severity, and references; the resolved license and deprecation status (deps.dev); and the source repo's OpenSSF Scorecard health score (overall + per-check) plus stars/forks/open-issues. All live — newly-disclosed advisories appear within hours. Distinct from registry.npm-lookup / pypi-lookup (metadata only): this answers "is this dependency safe to add, what license does it carry, and how well-maintained is it."

Payment Options