Understand your dependencies

Your software and your users rely not only on the code you write, but also on the code your code depends on, the code that code depends on, and so on. An accurate view of the complete dependency graph is critical to understanding the state of your project. And it’s not just code: you need to know about security vulnerabilities, licenses, recent releases, and more.

npm

Packages

3.45M

Go

Modules

1.31M

Maven

Artifacts

687k

PyPI

Packages

594k

NuGet

Packages

444k

Cargo

Crates

177k

New

New features in the deps.dev API

The deps.dev API, which provides free access to the data that powers this website, now has experimental batch and purl support, as well as a new version that comes with a stability guarantee and deprecation policy.

Learn more about the new features on our blog, or get started with the API documentation, and code examples.

BigQuery Public Dataset

The data that powers this website is now also available as part of the Google Cloud Public Dataset Program, and can be explored using BigQuery.

For more information, please check out the dataset on the Google Cloud Platform Marketplace, or have a look at the schema documentation.

Introducing NuGet (.NET) support

NuGet dependency requirements and version metadata are now available through the deps.dev API, BigQuery dataset and website. This includes direct security advisories, licenses and more.

You can read all about it in our blog.

SLSA provenance support

We are excited to announce that deps.dev now shows provenance information for npm packages to provide more information and improve trust for software consumers.

Visit a package's page to view provenance information, or read all about it on our blog.

Seeing the big picture can be difficult—but it shouldn’t be

The Open Source Insights page for each package shows the full dependency graph and updates it every day. The information provided can help you make informed decisions about using, building, and maintaining your software.

With Open Source Insights, you can actually see the dependency graph for a package, then isolate the paths to a particular dependency. Or see whether a vulnerability in a dependency might affect your code. Or compare two versions of a package to see how the dependencies have changed in a new release.

How it works

The service repeatedly examines sites such as github.com, npmjs.com, and pkg.go.dev to find up-to-date information about open source software packages. Using that information it builds for each package the full dependency graph from scratch—not just from package lock files—connecting it to the packages it depends on and to those that depend on it. And then does it all again to keep the information fresh. This transitive dependency graph allows problems in any package to be made visible to the owners and users of any software they affect.

Powered By