Skip to content

google/deps.dev

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

deps.dev API

OpenSSF Scorecard

deps.dev is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.

The deps.dev API can be accessed in two ways: as JSON over HTTP, as well as via gRPC. This repository contains the service definition for the gRPC API, along with example applications for both APIs.

There are two versions of the deps.dev API:

  • v3, proto: Core features with a stability guarantee and deprecation policy. Recommended for most users.
  • v3alpha, proto: All the features of v3, with additional experimental features. May change in incompatible ways from time to time.

Using the HTTP API

The HTTP API can be accessed using any HTTP client. To quickly get started, you can use the curl command-line tool. Example:

curl 'https://api.deps.dev/v3/systems/npm/packages/%40colors%2Fcolors'

Note that the @ and / in the package name have been percent-encoded.

For complete documentation on the HTTP API, please visit docs.deps.dev.

Using the gRPC API

The gRPC API can be accessed using any gRPC client. The service definition, which describes the methods of the API along with their request and response messages, can be found in api/v3/api.proto

To quickly get started exploring the API, you can use the grpcurl command-line tool. Example:

grpcurl \
  -d '{"package_key":{"system":"NPM","name":"@colors/colors"}}' \
  api.deps.dev:443 \
  deps_dev.v3.Insights/GetPackage

Example applications

Example applications written in Go can be found in the examples directory:

  • artifact_query shows how to query the deps.dev HTTP API by file content hash.
  • dependencies_dot fetches a resolved dependency graph from the deps.dev HTTP API and renders it in the DOT language used by Graphviz.
  • maven_parse_resolve parses and processes a Maven pom.xml and then calls the resolver to generate the dependency graph.
  • package_lock_licenses and package_lock_licenses_batch read dependencies from an npm package-lock.json file and fetch their licenses from deps.dev, using concurrent requests to the gRPC API or batch requests to the HTTP API, respectively.
  • resolve performs dependency resolution for a single version of a published npm package, and then compares the resulting graph with the result from GetDependencies endpoint.

Third party tools and integrations

Note that these are community built tools and unsupported by the core deps.dev maintainers.

  • edoardottt/depsdev CLI client (and Golang module) for deps.dev API.
  • safedep/vet CLI tool for policy driven vetting of open source dependencies using deps.dev API as a data source.

Data

deps.dev aggregates data from a number of sources:

For details on using the data from these sources, please consult their documentation.

As well as aggregating data, deps.dev generates additional data, including resolved dependencies, advisory statistics, associations between entities, etc. This generated data is available under a CC-BY 4.0 license.

Terms

Use of the deps.dev API is subject to the Google API Terms of Service.

Clients are expressly permitted to cache data served by the API.

Contact us

If you have questions about the API, or want to report a problem, please create an issue or contact us at depsdev@google.com.