Developer
Package supply-chain risk score API
Compute a composite supply-chain risk score (0-100) and band for an npm or PyPI package by joining OSV.dev vulnerabilities, typosquat distance to the ecosystem's most-installed packages, and maintenance signals (age, days-since-release, deprecation/yank) into one weighted read with rationale. Answers 'is this package safe to install', 'risk score for this npm package', 'is this a typosquat of a popular package', 'should I trust this dependency'.
Price$0.01per request
MethodPOST
Route/v1/dev/package-risk
StatusLive
MIME typeapplication/json
Rate limit60/minute
Cache3600s public
devpackage-risksupply-chainnpmpypityposquatosvdependency-risk
API URL
Integration docshttps://x402.hexl.dev/v1/dev/package-riskExample request
{
"ecosystem": "npm",
"package": "loadsh"
}Example response
{
"package": "loadsh",
"ecosystem": "npm",
"riskScore": 47,
"riskBand": "high",
"recommendation": "review-carefully",
"vulnerabilities": {
"total": 0,
"CRITICAL": 0,
"HIGH": 0,
"MODERATE": 0,
"LOW": 0,
"ids": []
},
"typosquat": {
"suspected": true,
"looksLike": "lodash",
"editDistance": 1
},
"maintenance": {
"deprecated": false,
"yanked": false,
"ageDays": 800,
"daysSinceLastRelease": 400
},
"reasons": [
"name is 1 edit from popular package 'lodash' (possible typosquat)",
"no release in over a year (400 days)"
]
}Input schema
{
"type": "object",
"required": [
"ecosystem",
"package"
],
"properties": {
"ecosystem": {
"type": "string",
"enum": [
"npm",
"PyPI"
],
"examples": [
"npm"
]
},
"package": {
"type": "string",
"examples": [
"loadsh"
]
},
"version": {
"type": "string",
"examples": [
"1.0.0"
]
}
}
}Output schema
{
"type": "object",
"additionalProperties": true
}