deps.dev is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
The deps.dev API can be accessed in two ways: as JSON over HTTP, as well as via gRPC. This repository contains the service definition for the gRPC API, along with example applications for both APIs.
There are two versions of the deps.dev API:
- v3, proto: Core features with a stability guarantee and deprecation policy. Recommended for most users.
- v3alpha, proto: All the features of v3, with additional experimental features. May change in incompatible ways from time to time.
The HTTP API can be accessed using any HTTP client. To quickly get started, you
can use the curl
command-line tool. Example:
curl 'https://api.deps.dev/v3/systems/npm/packages/%40colors%2Fcolors'
Note that the @
and /
in the package name have been percent-encoded.
For complete documentation on the HTTP API, please visit docs.deps.dev.
The gRPC API can be accessed using any gRPC client. The service definition, which describes the methods of the API along with their request and response messages, can be found in api/v3/api.proto
To quickly get started exploring the API, you can use the
grpcurl
command-line tool.
Example:
grpcurl \
-d '{"package_key":{"system":"NPM","name":"@colors/colors"}}' \
api.deps.dev:443 \
deps_dev.v3.Insights/GetPackage
Example applications written in Go can be found in the examples
directory:
artifact_query
shows how to query the deps.dev HTTP API by file content hash.dependencies_dot
fetches a resolved dependency graph from the deps.dev HTTP API and renders it in the DOT language used by Graphviz.maven_parse_resolve
parses and processes a Maven pom.xml and then calls the resolver to generate the dependency graph.package_lock_licenses
andpackage_lock_licenses_batch
read dependencies from an npm package-lock.json file and fetch their licenses from deps.dev, using concurrent requests to the gRPC API or batch requests to the HTTP API, respectively.resolve
performs dependency resolution for a single version of a published npm package, and then compares the resulting graph with the result fromGetDependencies
endpoint.
Note that these are community built tools and unsupported by the core deps.dev maintainers.
edoardottt/depsdev
CLI client (and Golang module) for deps.dev API.safedep/vet
CLI tool for policy driven vetting of open source dependencies using deps.dev API as a data source.
deps.dev aggregates data from a number of sources:
- Package data (including package and version names, descriptions, dependency requirements, etc)
- Project data (including project names, descriptions, forks and stars, etc)
- Security advisories
- Associated data
For details on using the data from these sources, please consult their documentation.
As well as aggregating data, deps.dev generates additional data, including resolved dependencies, advisory statistics, associations between entities, etc. This generated data is available under a CC-BY 4.0 license.
Use of the deps.dev API is subject to the Google API Terms of Service.
Clients are expressly permitted to cache data served by the API.
If you have questions about the API, or want to report a problem, please create an issue or contact us at [email protected].