{"id":16446497,"url":"https://github.com/edoardottt/depsdev","last_synced_at":"2026-04-14T11:00:27.109Z","repository":{"id":154011480,"uuid":"631187680","full_name":"edoardottt/depsdev","owner":"edoardottt","description":"CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.","archived":false,"fork":false,"pushed_at":"2026-04-14T09:04:21.000Z","size":227,"stargazers_count":64,"open_issues_count":0,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-14T10:28:51.204Z","etag":null,"topics":["blue-team","cargo","defensive-security","dependency-management","dependency-scanning","dependency-security","go","go-module","golang-module","hacktoberfest","maven","npm","nuget","package-security","pypi","sbom","sbom-generator","security","supply-chain","supply-chain-management"],"latest_commit_sha":null,"homepage":"https://deps.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/edoardottt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"edoardottt","liberapay":"edoardottt","patreon":"edoardottt","ko_fi":"edoardottt","open_collective":"edoardottt","custom":"https://www.paypal.me/edoardottt"}},"created_at":"2023-04-22T08:01:13.000Z","updated_at":"2026-04-14T08:58:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"588bbe49-971a-4957-9a20-4b86b66172ee","html_url":"https://github.com/edoardottt/depsdev","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/edoardottt/depsdev","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2Fdepsdev","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2Fdepsdev/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2Fdepsdev/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2Fdepsdev/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/edoardottt","download_url":"https://codeload.github.com/edoardottt/depsdev/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2Fdepsdev/sbom","scorecard":{"id":366929,"data":{"date":"2025-08-11","repo":{"name":"github.com/edoardottt/depsdev","commit":"b3906d5b04db2487a1fc9c052196e4f3273eaee6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.4,"checks":[{"name":"Code-Review","score":2,"reason":"Found 2/9 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/golangci-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/golangci-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/golangci-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-binary.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/release-binary.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-binary.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/release-binary.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-binary.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/release-binary.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/release-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-test.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/release-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/edoardottt/depsdev/release-test.yml/main?enable=pin","Info:   0 out of  12 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:29","Warn: no topLevel permission defined: .github/workflows/codeql.yml:1","Warn: no topLevel permission defined: .github/workflows/go.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/golangci-lint.yml:11","Warn: no topLevel permission defined: .github/workflows/release-binary.yml:1","Warn: no topLevel permission defined: .github/workflows/release-test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.1.0 not signed: https://api.github.com/repos/edoardottt/depsdev/releases/151699848","Warn: release artifact v0.1.0 does not have provenance: https://api.github.com/repos/edoardottt/depsdev/releases/151699848"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release-test.yml:11"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 11 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T12:02:12.458Z","repository_id":154011480,"created_at":"2025-08-18T12:02:12.458Z","updated_at":"2025-08-18T12:02:12.458Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31793225,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T02:24:21.117Z","status":"ssl_error","status_checked_at":"2026-04-14T02:24:20.627Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","cargo","defensive-security","dependency-management","dependency-scanning","dependency-security","go","go-module","golang-module","hacktoberfest","maven","npm","nuget","package-security","pypi","sbom","sbom-generator","security","supply-chain","supply-chain-management"],"created_at":"2024-10-11T09:47:49.343Z","updated_at":"2026-04-14T11:00:27.103Z","avatar_url":"https://github.com/edoardottt.png","language":"Go","funding_links":["https://github.com/sponsors/edoardottt","https://liberapay.com/edoardottt","https://patreon.com/edoardottt","https://ko-fi.com/edoardottt","https://opencollective.com/edoardottt","https://www.paypal.me/edoardottt"],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  depsdev\n  \u003cbr\u003e\n\u003c/h1\u003e\n\u003ch4 align=\"center\"\u003eCLI client (and Golang module) for deps.dev API.\u003cbr\u003eFree access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.\u003c/h4\u003e\n\n\u003ch6 align=\"center\"\u003e Coded with 💙 by edoardottt \u003c/h6\u003e\n\n\u003cp align=\"center\"\u003e\n\n  \u003ca href=\"https://goreportcard.com/report/github.com/edoardottt/depsdev\"\u003e\n      \u003cimg src=\"https://goreportcard.com/badge/github.com/edoardottt/depsdev\" alt=\"go report card\"\u003e\n  \u003c/a\u003e\n\n  \u003ca href=\"https://github.com/edoardottt/depsdev/actions\"\u003e\n      \u003cimg src=\"https://github.com/edoardottt/depsdev/actions/workflows/go.yml/badge.svg\" alt=\"go action\"\u003e\n  \u003c/a\u003e\n\n\u003cbr\u003e\n  \u003c!--Tweet button--\u003e\n  \u003ca href=\"https://twitter.com/intent/tweet?text=depsdev%20-%20CLI%20client%20for%20deps.dev%20API.%20Free%20access%20to%20dependencies%2C%20licenses%2C%20advisories%2C%20and%20other%20critical%20health%20and%20security%20signals%20for%20open%20source%20package%20versions.%20https%3A%2F%2Fgithub.com%2Fedoardottt%2Fdepsdev%20%23golang%20%23github%20%23linux%20%23infosec%20%23bugbounty%20%23security\" target=\"_blank\"\u003eShare on Twitter!\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#install-\"\u003eInstall\u003c/a\u003e •\n  \u003ca href=\"#get-started-\"\u003eGet Started\u003c/a\u003e •\n  \u003ca href=\"#examples-bulb\"\u003eExamples\u003c/a\u003e •\n  \u003ca href=\"#changelog-\"\u003eChangelog\u003c/a\u003e •\n  \u003ca href=\"#contributing-\"\u003eContributing\u003c/a\u003e •\n  \u003ca href=\"#license-\"\u003eLicense\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/edoardottt/images/blob/main/depsdev/depsdev.gif\"\u003e\n\u003c/p\u003e\n  \nInstall 📡\n----------\n\n### Using Snap\n\n```console\nsudo snap install depsdev\n```\n\n### Using Go\n\n```console\ngo install github.com/edoardottt/depsdev@latest\n```\n\nGet Started 🎉\n----------\n\n```console\nUsage:\n  depsdev [command]\n\nAvailable Commands:\n  advisory    Get info about an (OSV) advisory\n  completion  Generate the autocompletion script for the specified shell\n  deps        Get info about a package's dependencies\n  graph       Generate a Graphviz compatible dependencies graph\n  help        Help about any command\n  package     Get info about a package or a specific version of that\n  packages    Get info about a project's package versions (GitHub, GitLab, or BitBucket)\n  project     Get info about a project (GitHub, GitLab, or BitBucket)\n  query       Get info about multiple package versions using a query\n  reqs        Get info about a package's requirements\n\nFlags:\n  -h, --help   help for depsdev\n\nUse \"depsdev [command] --help\" for more information about a command.\n```\n\nExamples 💡\n----------\n\n\u003e **Note**\n\u003e The supported package managers are `go`, `npm`, `cargo`, `rubygems`, `maven`, `pypi` and `nuget`.  \n\nFor more information [read the API documentation](https://docs.deps.dev/api/v3).\n\n### Command Line\n\nGet information about a package, including a list of its available versions, with the default version marked if known.\n\n```console\ndepsdev package npm @colors/colors\n```\n\n\u003cbr\u003e\n\nGet information about a specific package version including its licenses and any security advisories known to affect it.\n\n```console\ndepsdev package npm @colors/colors 1.5.0\n```\n\n\u003cbr\u003e\n\nGet information about a resolved dependency graph for the given package version.\n\n```console\ndepsdev deps npm @colors/colors 1.5.0\n```\n\n\u003cbr\u003e\n\nGet information about projects hosted by GitHub, GitLab, or BitBucket (if available).\n\n```console\ndepsdev project github.com/facebook/react\n```\n\n\u003cbr\u003e\n\nGet information about security advisories hosted by OSV.\n\n```console\ndepsdev advisory GHSA-2qrg-x229-3v8q\n```\n\n\u003cbr\u003e\n\nGet information about multiple package versions, which can be specified by name, content hash, or both.\n\n```console\ndepsdev query \"versionKey.system=NPM\u0026versionKey.name=react\u0026versionKey.version=18.2.0\"\n```\n\n\u003cbr\u003e\n\nGenerate a Graphviz compatible dependencies graph for a specific version of a package.\n\n```console\ndepsdev graph npm slice-ansi 6.0.0\n```\n\n\u003cbr\u003e\n\nGet information about the package requirements for a given version in a system-specific format.\n\n```console\ndepsdev reqs npm slice-ansi 6.0.0\n```\n\n\u003cbr\u003e\n\nReturns known mappings between the requested project and package versions.\n\n```console\ndepsdev packages github.com/eslint/espree\n```\n\n### Go module\n\nYou can use *v3* or *v3alpha* API.\n\n#### v3\n\nCore features with a stability guarantee and deprecation policy. Recommended for most users.\n\n```Go\npackage main\n\nimport (\n  \"fmt\"\n  \"log\"\n\n  depsdev \"github.com/edoardottt/depsdev/pkg/depsdev/v3\"\n)\n\nfunc main() {\n  client := depsdev.NewV3API()\n  p, err := client.GetPackage(\"npm\", \"defangjs\")\n  if err != nil {\n    log.Fatal(err)\n  }\n\n  fmt.Println(p.PackageKey.Name)\n  //...\n}\n```\n\n#### v3alpha\n\nAll the features of v3, with additional experimental features. May change in incompatible ways from time to time.\n\n```Go\npackage main\n\nimport (\n  \"fmt\"\n  \"log\"\n\n  depsdev \"github.com/edoardottt/depsdev/pkg/depsdev/v3alpha\"\n)\n\nfunc main() {\n  client := depsdev.NewV3AlphaAPI()\n  p, err := client.GetPackage(\"npm\", \"defangjs\")\n  if err != nil {\n    log.Fatal(err)\n  }\n\n  fmt.Println(p.PackageKey.Name)\n  //...\n}\n```\n\nRead the full [`package documentation here`](https://pkg.go.dev/github.com/edoardottt/depsdev/pkg/depsdev)\n\nChangelog 📌\n-------\n\nDetailed changes for each release are documented in the [release notes](https://github.com/edoardottt/depsdev/releases).\n\nContributing 🛠\n-------\n\nJust open an [issue](https://github.com/edoardottt/depsdev/issues) / [pull request](https://github.com/edoardottt/depsdev/pulls).\n\nBefore opening a pull request, download [golangci-lint](https://golangci-lint.run/usage/install/) and run\n\n```console\ngolangci-lint run\n```\n\nIf there aren't errors, go ahead :)\n\nThe HTTP client implementation is partially taken from [@liamg/hackerone](https://github.com/liamg/hackerone).\n\nLicense 📝\n-------\n\nThis repository is under [Apache2.0 License](https://github.com/edoardottt/depsdev/blob/main/LICENSE).  \n[edoardottt.com](https://edoardottt.com) to contact me.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedoardottt%2Fdepsdev","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fedoardottt%2Fdepsdev","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedoardottt%2Fdepsdev/lists"}