# deps.dev API > Software supply-chain and dependency intelligence as an API, powered by deps.dev — Google's Open Source Insights service. Across six package ecosystems (npm, PyPI, Maven, Cargo, Go and NuGet) it answers the questions a registry cannot: what does installing this package actually pull in, and how healthy is the project behind it. List a package's published versions and its default version; read a specific version's declared licenses, the keys of any known security advisories, useful links (source repository, homepage, issue tracker) and related projects; resolve a version's complete TRANSITIVE dependency graph — the total dependency count, the direct dependencies and every transitive node with its exact resolved version and whether it is a direct or indirect dependency; and look up a source project's OpenSSF Scorecard — the overall security score plus per-check results for Maintained, Code-Review, Branch-Protection, Dangerous-Workflow, Vulnerabilities and more — alongside its stars, forks, open issues, license and homepage. For Go modules and Maven artifacts the package name is the full module path or group:artifact (URL-encoded automatically). Ideal for dependency auditing, software-bill-of-materials (SBOM) enrichment, supply-chain risk assessment and license-compliance tooling. Data from deps.dev (Google, CC-BY). ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/depsdev-api/..." ``` ## Pricing - **Free** (Free) — 620 calls/Mo, 2 req/s - **Starter** ($7/Mo) — 23,000 calls/Mo, 6 req/s - **Pro** ($20/Mo) — 99,000 calls/Mo, 15 req/s - **Mega** ($56/Mo) — 430,000 calls/Mo, 40 req/s ## Endpoints ### Packages #### `GET /v1/package` — A package's versions **Parameters:** - `system` (query, required, string) — npm|pypi|maven|cargo|go|nuget Example: `npm` - `name` (query, required, string) — Package name, e.g. express Example: `express` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/depsdev-api/v1/package?system=npm&name=express" ``` **Response:** ```json { "data": { "name": "express", "system": "npm", "versions": [ { "version": "0.14.0", "is_default": false, "published_at": "2010-12-29T19:38:25Z" }, { "version": "0.14.1", "is_default": false, "published_at": "2010-12-29T19:38:25Z" }, { "version": "1.0.0", "is_default": false, "published_at": "2010-12-29T19:38:25Z" }, { "version": "1.0.0-beta", "is_default": false, "published_at": "2013-08-28T17:04:36Z" }, { "version": "1.0.0-beta2", "is_default": false, "published_at": "2013-08-28T17:04:36Z" }, { "version": "1.0.0-rc", "is_default": false, "published_at": "2013-08-28T17:04:36Z" }, { "version": "1.0.0-rc2", "is_default": false, "published_at": "2013-08-28T17:04:36Z" }, { "version": "1.0.0-rc3", "is_default": false, "published_at": "2013-08-28T17:04:36Z" }, { "version": "1.0.0-rc4", "is_default": false, "published_at": "2013-0 …(truncated, see openapi.json for full schema) ``` #### `GET /v1/version` — A version's licenses & advisories **Parameters:** - `system` (query, required, string) — Ecosystem Example: `npm` - `name` (query, required, string) — Package name Example: `express` - `version` (query, required, string) — Version, e.g. 4.18.2 Example: `4.18.2` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/depsdev-api/v1/version?system=npm&name=express&version=4.18.2" ``` **Response:** ```json { "data": { "version": { "name": "express", "links": [ { "url": "http://expressjs.com/", "label": "HOMEPAGE" }, { "url": "https://github.com/expressjs/express/issues", "label": "ISSUE_TRACKER" }, { "url": "https://registry.npmjs.org/express/4.18.2", "label": "ORIGIN" }, { "url": "git+https://github.com/expressjs/express.git", "label": "SOURCE_REPO" } ], "system": "npm", "version": "4.18.2", "licenses": [ "MIT" ], "advisories": [ "GHSA-qw6h-vgh9-j6wx", "GHSA-rv95-896h-c2vc" ], "is_default": false, "published_at": "2022-10-08T20:14:32Z", "advisory_count": 2, "related_projects": [ { "id": "github.com/expressjs/express", "relation": "ISSUE_TRACKER" }, { "id": "github.com/expressjs/express", "relation": "SOURCE_REPO" } ] } }, "meta": { "timestamp": "2026-06-01T08:13:17.935Z", "request_id": "2d59e6a6-87 …(truncated, see openapi.json for full schema) ``` ### Supply chain #### `GET /v1/dependencies` — Resolved transitive dependency graph **Parameters:** - `system` (query, required, string) — Ecosystem Example: `npm` - `name` (query, required, string) — Package name Example: `express` - `version` (query, required, string) — Version Example: `4.18.2` - `limit` (query, optional, string) — Max nodes (1-1000) **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/depsdev-api/v1/dependencies?system=npm&name=express&version=4.18.2" ``` **Response:** ```json { "data": { "name": "express", "direct": [ "accepts@1.3.8", "array-flatten@1.1.1", "body-parser@1.20.1", "content-disposition@0.5.4", "content-type@1.0.5", "cookie@0.5.0", "cookie-signature@1.0.6", "debug@2.6.9", "depd@2.0.0", "encodeurl@1.0.2", "escape-html@1.0.3", "etag@1.8.1", "finalhandler@1.2.0", "fresh@0.5.2", "http-errors@2.0.0", "merge-descriptors@1.0.1", "methods@1.1.2", "on-finished@2.4.1", "parseurl@1.3.3", "path-to-regexp@0.1.7", "proxy-addr@2.0.7", "qs@6.11.0", "range-parser@1.2.1", "safe-buffer@5.2.1", "send@0.18.0", "serve-static@1.15.0", "setprototypeof@1.2.0", "statuses@2.0.1", "type-is@1.6.18", "utils-merge@1.0.1", "vary@1.1.2" ], "system": "npm", "version": "4.18.2", "dependencies": [ { "name": "accepts", "errors": [], "version": "1.3.8", "relation": "direct" }, { "name": "array-flatten", "errors": [], "version": "1.1.1", "relation": "direct" }, { …(truncated, see openapi.json for full schema) ``` #### `GET /v1/project` — OpenSSF Scorecard & repo health **Parameters:** - `id` (query, required, string) — Source repo, e.g. github.com/expressjs/express Example: `github.com/expressjs/express` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/depsdev-api/v1/project?id=github.com%2Fexpressjs%2Fexpress" ``` **Response:** ```json { "data": { "project": { "id": "github.com/expressjs/express", "forks": 23442, "stars": 69057, "license": "MIT", "homepage": "https://expressjs.com", "scorecard": { "date": "2026-05-18T00:00:00Z", "repo": "github.com/expressjs/express", "score": 8.5, "checks": [ { "name": "Maintained", "score": 10, "reason": "18 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10" }, { "name": "Dangerous-Workflow", "score": 10, "reason": "no dangerous workflow patterns detected" }, { "name": "Packaging", "score": -1, "reason": "packaging workflow not detected" }, { "name": "Code-Review", "score": 10, "reason": "all changesets reviewed" }, { "name": "Binary-Artifacts", "score": 10, "reason": "no binaries found in the repo" }, { …(truncated, see openapi.json for full schema) ``` ### Meta #### `GET /v1/meta` — Usage notes **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/depsdev-api/v1/meta" ``` **Response:** ```json { "data": { "note": "Software supply-chain & dependency intelligence across six ecosystems (system = npm, pypi, maven, cargo, go, nuget). /v1/package?system=npm&name=express = a package's published versions and default version; /v1/version?system=npm&name=express&version=4.18.2 = a version's declared licenses, the keys of any known security advisories, useful links (source repo, homepage, issues) and related projects; /v1/dependencies?system=npm&name=express&version=4.18.2 = the fully RESOLVED transitive dependency graph for that exact version — total dependency count, the direct dependencies and every transitive node (name@version, direct/indirect) — the answer to 'what does installing this actually pull in?'; /v1/project?id=github.com/expressjs/express = a source project's OpenSSF Scorecard (overall score plus per-check scores for things like Maintained, Code-Review, Dangerous-Workflow, Vulnerabilities) together with stars, forks, open issues, license and homepage. For Go packages and Maven artifacts the name is the full module path / group:artifact (URL-encoded automatically). Ideal for dependency auditing, supply-chain risk assessment, SBOM enrichment and license compliance. Data from deps.dev (Google). For a single ecosystem's package metadata see the npm/PyPI/Cargo APIs; for the raw vulnerability database the OSV API.", "source": "deps.dev — Google Open Source Insights API (api.deps.dev)", "endpoints": [ "/v1/package", …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/depsdev-api OpenAPI spec: https://www.oanor.com/api/depsdev-api/openapi.json