API Reference

API Documentation

Free, open API. No auth required for public endpoints. JSON responses.

Base URL
https://depscope.dev
Auth
None for public endpoints. Higher limits via API keys.
Rate limit
200 req/min per IP (bypassed for major AI agents: Claude, GPT, Cursor, Windsurf, Copilot, ...)
Format
JSON (UTF-8). /api/prompt returns text/plain.
Caching
6h edge (Cloudflare) + 6h Redis. gzip + brotli. Cache-Control with stale-while-revalidate — agents never wait on refresh.
MCP
22 consolidated tools at mcp.depscope.dev/mcp (remote, zero install).
OpenAPI
openapi.json · Swagger UI
CoreSecurityStack / projectsDiscoveryErrors & bugsMetaBadgesHealth scoreAI agents

Core

The 5 endpoints that cover 80% of agent use.

GET/api/check/{ecosystem}/{package}

Full package intelligence. THE most-used endpoint. Returns health + vulns + versions + license_risk + historical_compromise + recommendation.

Parameters
ecosystempathOne of 17 supported (npm, pypi, cargo, go, maven, ...)
packagepathPackage name (scoped OK: @anthropic-ai/sdk)
versionqueryOptional pinned version. Returns version_scoped block with CVE filter for THAT version.
Notable fields
  • recommendation.action (safe_to_use | update_required | use_with_caution | find_alternative | do_not_use | legacy_but_working | insufficient_data)
  • license_risk (permissive | weak_copyleft | strong_copyleft | network_copyleft | proprietary | unknown)
  • commercial_use_notes — one-line commercial-use guidance
  • historical_compromise — KB matches ([email protected], ua-parser-js 0.7.29, etc.)
  • version_scoped (when ?version= passed): vulns + recommendation scoped to that version
  • downloads_weekly (null when registry does not expose)
curl https://depscope.dev/api/check/npm/axios
GET/api/prompt/{ecosystem}/{package}

LLM-optimized plain-text brief (~500 tokens). Drop-in for system prompts. Token-saving vs raw JSON.

Parameters
versionqueryOptional pinned version. The brief renders THAT version's view.
curl https://depscope.dev/api/prompt/npm/axios?version=0.21.1
GET/api/health/{ecosystem}/{package}

Just the 0–100 health score + breakdown. Cheapest call.

Parameters
versionqueryOptional pinned version.
curl https://depscope.dev/api/health/pypi/fastapi
GET/api/exists/{ecosystem}/{package}

DB-only existence probe. <10ms. Use before suggesting an unfamiliar name.

curl https://depscope.dev/api/exists/pypi/django
GET/api/latest/{ecosystem}/{package}

Latest version only. Cached.

curl https://depscope.dev/api/latest/npm/express

Security

Typosquat, malicious, maintainer trust, Scorecard, provenance.

GET/api/vulns/{ecosystem}/{package}

Known vulnerabilities from OSV (filtered to latest version). KEV + EPSS enriched.

curl https://depscope.dev/api/vulns/npm/lodash
GET/api/malicious/{ecosystem}/{package}

OpenSSF malicious package feed (224k entries). Sanity-guarded on mainstream packages.

curl https://depscope.dev/api/malicious/npm/ua-parser-js
GET/api/typosquat/{ecosystem}/{package}

Typosquat detector. Pre-computed + runtime Levenshtein against top-1M-downloads packages.

curl https://depscope.dev/api/typosquat/npm/lodsh
GET/api/maintainers/{ecosystem}/{package}

Per-package maintainer info: count, bus factor, alerts.

curl https://depscope.dev/api/maintainers/npm/express
GET/api/maintainer/trust/{platform}/{username}

Per-maintainer trust score (0–100). E.g. check if 'vercel' or 'facebook' is a safe maintainer.

curl https://depscope.dev/api/maintainer/trust/npm/vercel
GET/api/scorecard/{ecosystem}/{package}

OSS Scorecard score (0–10) + branch-protection, signed-releases, pinned-dependencies signals.

curl https://depscope.dev/api/scorecard/npm/react
GET/api/provenance/{ecosystem}/{package}

npm provenance / Sigstore attestations.

curl https://depscope.dev/api/provenance/npm/prettier

Stack / projects

Scan (with lockfile + SBOM), compare, compat, alternatives, migration.

POST/api/scan

Audit a whole project. Accepts explicit packages dict OR a lockfile string (9 formats: package-lock, pnpm-lock, yarn.lock, poetry.lock, Pipfile.lock, composer.lock, Cargo.lock, requirements.txt, go.sum). Optional SBOM output.

Parameters
ecosystembody(string) npm, pypi, cargo, etc. Auto-detected when lockfile is passed.
packagesbody(object) {name: version_or_range}. Required unless lockfile is sent.
lockfilebody(string) raw lockfile content — alternative to packages.
lockfile_kindbody(string, optional) pnpm-lock.yaml / yarn.lock / poetry.lock / Pipfile.lock / composer.lock / Cargo.lock / requirements.txt / go.sum / package-lock.json. Auto-detected if omitted.
formatbodynative | cyclonedx | spdx. Default native.
include_transitivebody(bool) Reserved — lockfiles already give full graph.
curl -X POST https://depscope.dev/api/scan -H 'content-type: application/json' -d '{"lockfile":"flask==3.0.0\nrequests==2.31.0","lockfile_kind":"requirements.txt"}'
GET/api/compare/{ecosystem}/{pkg1},{pkg2},...}

Side-by-side comparison (2–10 packages). Caveats per package (deprecated, low-adoption, vulns, higher-deps).

curl https://depscope.dev/api/compare/npm/express,fastify,hono
POST/api/compat

Test compatibility of a stack before upgrading.

Parameters
packagesbody(object) {name: version}. E.g. {next:"15",react:"19",react-dom:"19"}.
curl -X POST https://depscope.dev/api/compat -H 'content-type: application/json' -d '{"packages":{"next":"15","react":"19"}}'
GET/api/alternatives/{ecosystem}/{package}

Curated alternatives (especially for deprecated packages: request → axios/got, moment → dayjs, …).

curl https://depscope.dev/api/alternatives/npm/request
GET/api/migration/{ecosystem}/{from}/{to}

Curated migration path with before/after code diff, rationale, breaking changes, estimated effort.

curl https://depscope.dev/api/migration/npm/request/axios

Discovery

Trending, tree, versions, install command, pin-safe.

GET/api/trending

Trending packages across ecosystems. Live rank + weekly growth.

curl 'https://depscope.dev/api/trending?limit=20'
GET/api/tree/{ecosystem}/{package}

Full transitive dependency tree (flattened).

curl https://depscope.dev/api/tree/npm/express
GET/api/licenses/{ecosystem}/{package}

License audit across transitive deps.

curl https://depscope.dev/api/licenses/npm/express
GET/api/versions/{ecosystem}/{package}

Full version history.

curl https://depscope.dev/api/versions/cargo/serde
GET/api/history/{ecosystem}/{package}

Historical health and download trajectory (90d).

curl https://depscope.dev/api/history/npm/express
GET/api/install/{ecosystem}/{package}

Install command generator (cross-ecosystem: npm install, pip install, cargo add, ...).

curl https://depscope.dev/api/install/cargo/serde
GET/api/pin_safe/{ecosystem}/{package}

Recommend a safe version to pin (latest stable, with no known critical CVEs).

curl https://depscope.dev/api/pin_safe/npm/express

Errors & bugs

Text search + exact-match resolution + breaking changes.

GET/api/error

Free-text search across the error → fix database.

Parameters
qquerySearch keyword(s)
curl 'https://depscope.dev/api/error?q=Cannot+find+module'
POST/api/error/resolve

Exact-match resolution from a full stack trace.

curl -X POST https://depscope.dev/api/error/resolve -H 'content-type: application/json' -d '{"error":"Error: Cannot find module \'express\' at Function.Module._resolveFilename..."}'
GET/api/bugs/{ecosystem}/{package}

Known non-CVE bugs (GitHub issues with repro).

curl 'https://depscope.dev/api/bugs/npm/react?version=19.0.0'
GET/api/breaking/{ecosystem}/{package}

Breaking changes between two majors (with migration hints).

curl 'https://depscope.dev/api/breaking/npm/next?from_version=14&to_version=16'

Meta

Stats, ecosystems metadata, time.

GET/api/stats

Platform stats (ecosystem counts, trending, intel — agents_breakdown, hallucinations_week).

curl https://depscope.dev/api/stats
GET/api/ecosystems

Supported ecosystems with package/vuln counts + registry URLs.

curl https://depscope.dev/api/ecosystems
GET/api/now

Current UTC time. Agents use this to check server time awareness.

curl https://depscope.dev/api/now

Badges

Embed health score badges in your README or docs.

GET/badge/{ecosystem}/{package}

Health score badge (SVG). Embed in README.

curl
curl https://depscope.dev/badge/npm/express
Markdown
![DepScope](https://depscope.dev/badge/npm/express)
GET/badge/score/{ecosystem}/{package}

Score-only badge variant (compact).

curl
curl https://depscope.dev/badge/score/pypi/django
Markdown
![Score](https://depscope.dev/badge/score/pypi/django)

Badge colors

80–100
Green
60–79
Yellow
40–59
Orange
0–39
Red

Health score breakdown

Algorithmic score (0–100) from multiple signals.

25
Maintenance
Last release date
25
Security
Known CVEs, KEV, EPSS
20
Popularity
Weekly downloads
15
Maturity
Version count
15
Community
Maintainers + bus factor

For AI agents

DepScope is designed to be called by AI agents before suggesting any package install. Wire it in once and every npm install / pip install decision is one fresh HTTP call away. Use /api/prompt for cheap token-efficient briefs, /api/check when you need the full JSON.

ChatGPT / OpenAI Actions
https://depscope.dev/.well-known/ai-plugin.json
OpenAPI spec
https://depscope.dev/openapi.json
Interactive docs (Swagger)
https://depscope.dev/docs
MCP server (remote, zero install)
https://mcp.depscope.dev/mcp
MCP manifest (.well-known)
https://depscope.dev/.well-known/mcp.json