DEV Community: Vincenzo Rubino The latest articles on DEV Community by Vincenzo Rubino (@depscope). https://dev.to/depscope https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3881381%2F8bd7bbb3-1ff8-4a41-adf9-c4d99a9dd96a.jpg DEV Community: Vincenzo Rubino https://dev.to/depscope en I Built a Free API That Checks Package Health for AI Agents Vincenzo Rubino Thu, 16 Apr 2026 00:23:30 +0000 https://dev.to/depscope/i-built-a-free-api-that-checks-package-health-for-ai-agents-3ip8 https://dev.to/depscope/i-built-a-free-api-that-checks-package-health-for-ai-agents-3ip8 <h2> The Problem </h2> <p>AI coding agents (Claude Code, Cursor, Copilot) regularly suggest packages that are:</p> <ul> <li> <strong>Deprecated</strong> without knowing it</li> <li> <strong>Vulnerable</strong> to known CVEs</li> <li> <strong>Abandoned</strong> with no maintainer activity for years</li> </ul> <p>Every agent hits the npm registry, PyPI, and vulnerability databases independently. Millions of redundant requests for the same data.</p> <h2> The Solution: DepScope </h2> <p><strong>DepScope</strong> aggregates package data from registries and vulnerability databases <strong>once</strong>, then serves it to any agent (or human) instantly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://depscope.dev/api/check/npm/express </code></pre> </div> <p>Returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"package"</span><span class="p">:</span><span class="w"> </span><span class="s2">"express"</span><span class="p">,</span><span class="w"> </span><span class="nl">"latest_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5.2.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"health"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"score"</span><span class="p">:</span><span class="w"> </span><span class="mi">85</span><span class="p">,</span><span class="w"> </span><span class="nl">"risk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"low"</span><span class="p">,</span><span class="w"> </span><span class="nl">"breakdown"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"maintenance"</span><span class="p">:</span><span class="w"> </span><span class="mi">25</span><span class="p">,</span><span class="w"> </span><span class="nl">"security"</span><span class="p">:</span><span class="w"> </span><span class="mi">25</span><span class="p">,</span><span class="w"> </span><span class="nl">"popularity"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"maturity"</span><span class="p">:</span><span class="w"> </span><span class="mi">15</span><span class="p">,</span><span class="w"> </span><span class="nl">"community"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"vulnerabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"recommendation"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"safe_to_use"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="s2">"express@5.2.1 is safe to use (health: 85/100)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Features </h2> <h3> Check any package </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># npm</span> curl https://depscope.dev/api/check/npm/express <span class="c"># PyPI</span> curl https://depscope.dev/api/check/pypi/django <span class="c"># Cargo</span> curl https://depscope.dev/api/check/cargo/tokio </code></pre> </div> <h3> Compare packages side by side </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://depscope.dev/api/compare/npm/express,fastify,hono </code></pre> </div> <p>Returns a ranked comparison:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Package</th> <th>Health</th> <th>Vulns</th> <th>Downloads/week</th> </tr> </thead> <tbody> <tr> <td><strong>fastify</strong></td> <td>92/100</td> <td>0</td> <td>5.2M</td> </tr> <tr> <td>hono</td> <td>88/100</td> <td>0</td> <td>1.8M</td> </tr> <tr> <td>express</td> <td>85/100</td> <td>0</td> <td>35M</td> </tr> </tbody> </table></div> <h3> Scan an entire project </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST https://depscope.dev/api/scan <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"ecosystem":"npm","packages":{"express":"*","lodash":"*","axios":"*"}}'</span> </code></pre> </div> <p>Returns project risk level + per-package audit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"project_risk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"low"</span><span class="p">,</span><span class="w"> </span><span class="nl">"packages_scanned"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"packages"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"package"</span><span class="p">:</span><span class="w"> </span><span class="s2">"express"</span><span class="p">,</span><span class="w"> </span><span class="nl">"health_score"</span><span class="p">:</span><span class="w"> </span><span class="mi">85</span><span class="p">,</span><span class="w"> </span><span class="nl">"vulnerabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"package"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lodash"</span><span class="p">,</span><span class="w"> </span><span class="nl">"health_score"</span><span class="p">:</span><span class="w"> </span><span class="mi">88</span><span class="p">,</span><span class="w"> </span><span class="nl">"vulnerabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"package"</span><span class="p">:</span><span class="w"> </span><span class="s2">"axios"</span><span class="p">,</span><span class="w"> </span><span class="nl">"health_score"</span><span class="p">:</span><span class="w"> </span><span class="mi">82</span><span class="p">,</span><span class="w"> </span><span class="nl">"vulnerabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Quick endpoints </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Health score only (fast)</span> curl https://depscope.dev/api/health/npm/react <span class="c"># Vulnerabilities only</span> curl https://depscope.dev/api/vulns/npm/lodash <span class="c"># Version info only</span> curl https://depscope.dev/api/versions/pypi/fastapi </code></pre> </div> <h2> Health Score Algorithm </h2> <p>The score (0-100) is calculated from 5 signals. No AI, no LLM — pure algorithm, runs in milliseconds:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Signal</th> <th>Max Points</th> <th>How it's calculated</th> </tr> </thead> <tbody> <tr> <td><strong>Maintenance</strong></td> <td>25</td> <td>Days since last release. &lt;30d = 25pts, &lt;90d = 20pts, &lt;180d = 15pts</td> </tr> <tr> <td><strong>Security</strong></td> <td>25</td> <td>Known CVEs from OSV database, filtered to latest version only</td> </tr> <tr> <td><strong>Popularity</strong></td> <td>20</td> <td>Weekly downloads from registry. &gt;10M = 20pts, &gt;1M = 17pts</td> </tr> <tr> <td><strong>Maturity</strong></td> <td>15</td> <td>Total version count. &gt;50 = 15pts, &gt;20 = 12pts</td> </tr> <tr> <td><strong>Community</strong></td> <td>15</td> <td>Number of active maintainers + GitHub stars</td> </tr> </tbody> </table></div> <p>The key innovation: <strong>we only show vulnerabilities that affect the latest version</strong>. Django went from 272 "vulnerabilities" (historical noise) to just 1 that actually matters.</p> <h2> How It Works Under the Hood </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Agent asks "is express safe?" │ ▼ DepScope checks Redis cache │ Cache hit? ──yes──▶ Return in 0ms │ no │ ▼ Fetch from npm registry ─────────────┐ Fetch from OSV (vulnerabilities) ─────┤ Fetch downloads from npm API ─────────┤ │ │ ▼ │ Calculate health score ◀──────────────┘ │ ▼ Cache in Redis (1 hour TTL) Save to PostgreSQL (permanent) │ ▼ Return full report </code></pre> </div> <p>We pre-process the <strong>top 272 most popular packages</strong> every 6 hours, so most requests are served from cache instantly.</p> <h2> For AI Agents </h2> <p>DepScope is designed to be called by AI agents before they suggest any package installation.</p> <h3> Direct API (any agent with HTTP access) </h3> <p>Any AI agent that can make HTTP requests can use DepScope:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET https://depscope.dev/api/check/npm/express </span></code></pre> </div> <p>No auth. No API key. No signup. Just call it.</p> <h3> ChatGPT / OpenAI Actions </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">https://depscope.dev/.well-known/ai-plugin.json</span><span class="w"> </span></code></pre> </div> <h3> OpenAPI Spec (Swagger) </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">https://depscope.dev/openapi.json</span><span class="w"> </span></code></pre> </div> <p>Interactive docs at <a href="https://depscope.dev/docs" rel="noopener noreferrer">depscope.dev/docs</a></p> <h3> MCP Server (Claude Code, Cursor, Windsurf) </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"depscope"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"depscope-mcp"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>GitHub: <a href="https://github.com/vincenzorubino27031980/depscope-mcp" rel="noopener noreferrer">depscope-mcp</a></p> <h2> Real Examples </h2> <h3> Express.js </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-s</span> https://depscope.dev/api/check/npm/express | jq <span class="s1">'.recommendation'</span> <span class="o">{</span> <span class="s2">"action"</span>: <span class="s2">"safe_to_use"</span>, <span class="s2">"summary"</span>: <span class="s2">"express@5.2.1 is safe to use (health: 85/100)"</span> <span class="o">}</span> </code></pre> </div> <h3> Comparing web frameworks </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-s</span> https://depscope.dev/api/compare/npm/express,fastify,hono | jq <span class="s1">'.winner'</span> <span class="s2">"fastify"</span> </code></pre> </div> <h3> A deprecated package </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-s</span> https://depscope.dev/api/check/npm/request | jq <span class="s1">'.recommendation'</span> <span class="o">{</span> <span class="s2">"action"</span>: <span class="s2">"find_alternative"</span>, <span class="s2">"issues"</span>: <span class="o">[</span><span class="s2">"Package is deprecated"</span><span class="o">]</span>, <span class="s2">"summary"</span>: <span class="s2">"request is deprecated — find an alternative package"</span> <span class="o">}</span> </code></pre> </div> <h2> Why Free? </h2> <p>We believe package intelligence should be infrastructure, not a premium feature.</p> <p>The idea is simple: <strong>we do the heavy lifting once, so every AI agent benefits</strong>. Instead of millions of agents independently hitting npm + PyPI + OSV + GitHub, we aggregate it all and serve cached results in milliseconds.</p> <p>272 packages pre-cached. 3 ecosystems. Zero cost to use.</p> <h2> Try It </h2> <ul> <li> <strong>Website:</strong> <a href="https://depscope.dev" rel="noopener noreferrer">depscope.dev</a> </li> <li> <strong>API Docs:</strong> <a href="https://depscope.dev/api-docs" rel="noopener noreferrer">depscope.dev/api-docs</a> </li> <li> <strong>Swagger:</strong> <a href="https://depscope.dev/docs" rel="noopener noreferrer">depscope.dev/docs</a> </li> <li> <strong>Live Stats:</strong> <a href="https://depscope.dev/stats" rel="noopener noreferrer">depscope.dev/stats</a> </li> <li> <strong>MCP Server:</strong> <a href="https://github.com/vincenzorubino27031980/depscope-mcp" rel="noopener noreferrer">GitHub</a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Try it right now</span> curl https://depscope.dev/api/check/npm/express </code></pre> </div> <p><em>Built by <a href="https://cuttalo.com" rel="noopener noreferrer">Cuttalo srl</a> with FastAPI + PostgreSQL + Redis on a single VM. Feedback welcome at <a href="mailto:depscope@cuttalo.com">depscope@cuttalo.com</a></em></p> api npm python ai