Dependency Audit — CVE, License & EOL Check for AI avatar

Dependency Audit — CVE, License & EOL Check for AI

Pricing

from $1.40 / 1,000 results

Go to Apify Store
Dependency Audit — CVE, License & EOL Check for AI

Dependency Audit — CVE, License & EOL Check for AI

Audit any software dependency for vulnerabilities (CVE), license, deprecation, end-of-life and health scores in one call. Supports npm, PyPI, crates, Go, Maven, NuGet, RubyGems. Supply-chain security grounding for AI coding agents & SCA.

Pricing

from $1.40 / 1,000 results

Rating

0.0

(0)

Developer

Haketa

Haketa

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

3 days ago

Last modified

Share

Dependency Audit — CVE, License, Deprecation & EOL for AI Agents

Audit any software dependency in one call. Give this Actor a list of packages and it returns, for each one: known vulnerabilities (CVE) with severity, license, whether it's outdated or deprecated, end-of-life status, an OpenSSF health score, GitHub stars — plus a clean Markdown audit report.

Supports npm, PyPI, crates.io, Go, Maven, NuGet and RubyGems. Built for AI coding agents, supply-chain security (SCA), and dependency review. No API key, no setup.


Why this Actor?

Coding agents and developers constantly need to answer: "Is this package safe to add? Is my version vulnerable? Is it still maintained?" That data is scattered across vulnerability databases, package registries, scorecards and end-of-life trackers — and an LLM's training data is months out of date on all of it. New CVEs land daily.

This Actor consolidates it. Point it at a package (or a whole lockfile's worth) and get back a single, current, structured verdict — the exact grounding an AI agent needs before it recommends or upgrades a dependency.

  • AI coding agents — a tool the agent calls on every "add/upgrade this package" decision to check for CVEs, license and maintenance.
  • Supply-chain security (SCA) — screen a dependency list for known vulnerabilities and risky licenses.
  • Dependency review in CI — audit what a PR adds or bumps.
  • Tech-debt & maintenance — find deprecated, outdated or end-of-life dependencies across a project.

Because it merges several sources, one call gives you what would otherwise take five.


What you get

For every package, one record:

FieldDescription
packageecosystem:name@version
ecosystem, name, versionIdentity
latestVersionLatest available version
isOutdatedWhether a newer version exists
isDeprecatedWhether the package/version is deprecated
licenseLicense(s)
riskLevelnone / low / medium / high / critical
vulnerabilityCountNumber of known vulnerabilities
maxSeverityHighest severity found
vulnerabilitiesFull list: CVE, severity, title, link
scorecardScoreOpenSSF Scorecard (0–10)
starsGitHub stars
repoSource repository
eolStatusEnd-of-life status (for known runtimes/frameworks)
downloadsMonthly downloads (optional, npm/PyPI)
markdownA ready-to-read audit report
scrapedAtTimestamp

Example output

{
"package": "npm:lodash@4.17.15",
"ecosystem": "npm",
"name": "lodash",
"version": "4.17.15",
"latestVersion": "4.17.21",
"isOutdated": "true",
"isDeprecated": "false",
"license": "MIT",
"riskLevel": "high",
"vulnerabilityCount": "6",
"maxSeverity": "HIGH",
"vulnerabilities": [
{ "cve": "CVE-2021-23337", "severity": "HIGH", "title": "Command Injection in lodash", "url": "https://osv.dev/vulnerability/GHSA-35jh-r3h4-6jhm" }
],
"scorecardScore": "7.7",
"stars": "61240",
"markdown": "# lodash@4.17.15 (npm)\n\n**License:** MIT · **Latest:** 4.17.21 ⚠️ outdated · ...",
"scrapedAt": "2026-07-06T15:00:00.000Z"
}

A clean, current package returns riskLevel: "none", vulnerabilityCount: "0".


Input

FieldTypeDefaultDescription
packagesarrayRequired. Packages to audit.
ecosystemstringnpmDefault ecosystem for packages without a prefix.
includeScorecardbooleantrueFetch OpenSSF Scorecard + GitHub stars.
includeDownloadsbooleanfalseFetch monthly downloads (npm/PyPI).

Package format

Each entry can be:

  • "express" — latest version, default ecosystem
  • "express@4.18.2" — a specific version
  • "pypi:django@3.0.0" — an explicit ecosystem
  • "@babel/core@7.0.0" — scoped npm packages work too

Ecosystems: npm, pypi, cargo, go, maven, nuget, rubygems (aliases like pip, crates, gem are accepted).

Example input

{
"packages": [
"express@4.18.2",
"lodash@4.17.15",
"pypi:django@3.0.0",
"cargo:tokio@1.0.0",
"react"
],
"includeScorecard": true
}

Risk levels

riskLevel reflects the most severe issue found:

  • critical / high / medium / low — driven by the highest-severity known vulnerability (by CVSS).
  • low — also used when there are no CVEs but the package is deprecated or end-of-life.
  • none — no known vulnerabilities, not deprecated, not EOL.

Always read vulnerabilities, isDeprecated and eolStatus together for the full picture.


Use cases in detail

1. AI coding agents

Wire this in as a tool so your agent checks a package before recommending it: "should I use axios@0.21?" → the agent sees the CVE and suggests a safe version instead. Every import/require suggestion can be grounded in current data.

2. Supply-chain security / SCA

Feed a whole dependency list in one run and triage by riskLevel. Route high/critical to a human or block the build.

3. CI dependency review

On each PR, audit the added or upgraded packages and comment the vulnerabilities, license changes and deprecations back on the PR.

4. Tech-debt sweeps

List every dependency in a project and find the deprecated, end-of-life or badly-outdated ones to prioritise upgrades.

5. License compliance

The license field lets you flag copyleft or non-standard licenses across your dependency tree.


How to use it

  1. Click Try for free.
  2. Paste your packages into packages.
  3. Click Start.
  4. Read the results as JSON, CSV, Excel, or via the Apify API.

Audits run in parallel — a hundred packages finish in seconds.


Calling from the API

curl -X POST "https://api.apify.com/v2/acts/YOUR_ACTOR_ID/runs?token=YOUR_APIFY_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "packages": ["express@4.18.2", "lodash@4.17.15", "pypi:django@3.0.0"] }'

Then fetch the dataset:

$curl "https://api.apify.com/v2/acts/YOUR_ACTOR_ID/runs/last/dataset/items?token=YOUR_APIFY_TOKEN"

Works with webhooks, Zapier, Make and n8n — wire it straight into CI or an agent workflow.


Frequently asked questions

Which ecosystems are supported? npm, PyPI, crates.io, Go, Maven, NuGet and RubyGems.

Where do the vulnerabilities come from? Public vulnerability and package databases are merged so each package gets CVEs, license, deprecation, scorecard and EOL in one record. Data is fetched live, so it reflects newly-published advisories.

What if I don't specify a version? The Actor audits the latest version and tells you what it is.

Does it handle scoped npm packages? Yes — @babel/core@7.0.0 works.

What is the health score? The OpenSSF Scorecard (0–10), a widely-used measure of a project's security practices, plus GitHub stars for popularity.

Is EOL available for every package? End-of-life is reported for well-known runtimes and frameworks (Node, Python, Django, Rails, React, …). For other packages the field is empty.

Can an AI agent call this automatically? Yes — it's keyless and returns structured JSON, ideal as an agent/MCP tool.


Tips

  • Audit whole lockfiles. Paste every dependency at once — it's far faster than one-by-one and gives you a single risk view.
  • Pin the version you actually ship. Auditing name@version is precise; auditing just name checks the latest.
  • Use riskLevel to gate. Sort or filter by it to surface the packages that need action first.
  • Keep the CVE links. Each vulnerability has a URL for the full advisory.

Notes

This Actor aggregates publicly available security and package metadata for informational and tooling purposes. Vulnerability data can lag real-world disclosure, and absence of a known CVE is not a guarantee of safety. Treat results as one input to your security process, not a substitute for a full security review. Verify critical findings against the official advisory.


Support

Want another ecosystem, deeper vulnerability detail, or an extra field? Open an issue from the Actor's page. Ship secure.