Package health & dependency-security API — should I depend on this?
Before an agent adds a dependency, get the whole picture in one call — latest version, license, known advisories, OpenSSF security score and popularity, across npm, PyPI, Go, Maven, Cargo and more.
The call
Keyless over MCP, or one REST call with a free key. Every datapoint is provenance-stamped and citeable.
# REST (free key)
curl -H "X-API-Key: $KEY" "https://dynamicfeed.ai/package-health?package=lodash&ecosystem=npm"
# MCP (keyless) — point any client at https://dynamicfeed.ai/mcp, then call:
package_health(package="requests", ecosystem="pypi")
Sample response
{ "package": "requests", "ecosystem": "pypi", "version": "2.32.3",
"licenses": ["Apache-2.0"], "known_advisories": 0,
"openssf_scorecard": {"overall": 8.3, "weakest": [{"check":"Fuzzing","score":0}]}, "stars": 53000 }
Why live data
An agent that installs a dependency inherits its license, its maintenance risk and its vulnerabilities — none of which a model knows from training data. This is the live posture from deps.dev (Google Open Source Insights): the OpenSSF Scorecard, the license, the advisory count and the popularity, in one keyless call, so an agent can vet a package before it ships it.
Use it for
- Vet a dependency before an agent installs or recommends it
- Audit license compliance across a dependency list at scale
- Flag low-OpenSSF-score or advisory-laden packages in a supply chain
FAQ
Where does the data come from?
deps.dev — Google's Open Source Insights — which aggregates package metadata, licenses, security advisories and OpenSSF Scorecards. Keyless over MCP.
Which ecosystems are covered?
npm, PyPI, Go, Maven, Cargo, NuGet and RubyGems.
How is this different from the CVE check?
check_vulnerability tells you if a specific version is vulnerable; package_health gives the whole posture — license, maintenance, OpenSSF score and popularity — to decide whether to depend on it at all.