Before an agent adds a dependency, get the whole picture in one call — latest version, license, known advisories, OpenSSF security score and popularity, across npm, PyPI, Go, Maven, Cargo and more.
Keyless over MCP, or one REST call with a free key. Every datapoint is provenance-stamped and citeable.
# REST (free key)
curl -H "X-API-Key: $KEY" "https://dynamicfeed.ai/package-health?package=lodash&ecosystem=npm"
# MCP (keyless) — point any client at https://dynamicfeed.ai/mcp, then call:
package_health(package="requests", ecosystem="pypi"){ "package": "requests", "ecosystem": "pypi", "version": "2.32.3",
"licenses": ["Apache-2.0"], "known_advisories": 0,
"openssf_scorecard": {"overall": 8.3, "weakest": [{"check":"Fuzzing","score":0}]}, "stars": 53000 }An agent that installs a dependency inherits its license, its maintenance risk and its vulnerabilities — none of which a model knows from training data. This is the live posture from deps.dev (Google Open Source Insights): the OpenSSF Scorecard, the license, the advisory count and the popularity, in one keyless call, so an agent can vet a package before it ships it.
deps.dev — Google's Open Source Insights — which aggregates package metadata, licenses, security advisories and OpenSSF Scorecards. Keyless over MCP.
npm, PyPI, Go, Maven, Cargo, NuGet and RubyGems.
check_vulnerability tells you if a specific version is vulnerable; package_health gives the whole posture — license, maintenance, OpenSSF score and popularity — to decide whether to depend on it at all.