Dependency Audit — CVE, License & EOL Check for AI
Pricing
from $1.40 / 1,000 results
Dependency Audit — CVE, License & EOL Check for AI
Audit any software dependency for vulnerabilities (CVE), license, deprecation, end-of-life and health scores in one call. Supports npm, PyPI, crates, Go, Maven, NuGet, RubyGems. Supply-chain security grounding for AI coding agents & SCA.
Pricing
from $1.40 / 1,000 results
Rating
0.0
(0)
Developer
Haketa
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
3 days ago
Last modified
Categories
Share
Dependency Audit — CVE, License, Deprecation & EOL for AI Agents
Audit any software dependency in one call. Give this Actor a list of packages and it returns, for each one: known vulnerabilities (CVE) with severity, license, whether it's outdated or deprecated, end-of-life status, an OpenSSF health score, GitHub stars — plus a clean Markdown audit report.
Supports npm, PyPI, crates.io, Go, Maven, NuGet and RubyGems. Built for AI coding agents, supply-chain security (SCA), and dependency review. No API key, no setup.
Why this Actor?
Coding agents and developers constantly need to answer: "Is this package safe to add? Is my version vulnerable? Is it still maintained?" That data is scattered across vulnerability databases, package registries, scorecards and end-of-life trackers — and an LLM's training data is months out of date on all of it. New CVEs land daily.
This Actor consolidates it. Point it at a package (or a whole lockfile's worth) and get back a single, current, structured verdict — the exact grounding an AI agent needs before it recommends or upgrades a dependency.
- AI coding agents — a tool the agent calls on every "add/upgrade this package" decision to check for CVEs, license and maintenance.
- Supply-chain security (SCA) — screen a dependency list for known vulnerabilities and risky licenses.
- Dependency review in CI — audit what a PR adds or bumps.
- Tech-debt & maintenance — find deprecated, outdated or end-of-life dependencies across a project.
Because it merges several sources, one call gives you what would otherwise take five.
What you get
For every package, one record:
| Field | Description |
|---|---|
package | ecosystem:name@version |
ecosystem, name, version | Identity |
latestVersion | Latest available version |
isOutdated | Whether a newer version exists |
isDeprecated | Whether the package/version is deprecated |
license | License(s) |
riskLevel | none / low / medium / high / critical |
vulnerabilityCount | Number of known vulnerabilities |
maxSeverity | Highest severity found |
vulnerabilities | Full list: CVE, severity, title, link |
scorecardScore | OpenSSF Scorecard (0–10) |
stars | GitHub stars |
repo | Source repository |
eolStatus | End-of-life status (for known runtimes/frameworks) |
downloads | Monthly downloads (optional, npm/PyPI) |
markdown | A ready-to-read audit report |
scrapedAt | Timestamp |
Example output
{"package": "npm:lodash@4.17.15","ecosystem": "npm","name": "lodash","version": "4.17.15","latestVersion": "4.17.21","isOutdated": "true","isDeprecated": "false","license": "MIT","riskLevel": "high","vulnerabilityCount": "6","maxSeverity": "HIGH","vulnerabilities": [{ "cve": "CVE-2021-23337", "severity": "HIGH", "title": "Command Injection in lodash", "url": "https://osv.dev/vulnerability/GHSA-35jh-r3h4-6jhm" }],"scorecardScore": "7.7","stars": "61240","markdown": "# lodash@4.17.15 (npm)\n\n**License:** MIT · **Latest:** 4.17.21 ⚠️ outdated · ...","scrapedAt": "2026-07-06T15:00:00.000Z"}
A clean, current package returns riskLevel: "none", vulnerabilityCount: "0".
Input
| Field | Type | Default | Description |
|---|---|---|---|
packages | array | — | Required. Packages to audit. |
ecosystem | string | npm | Default ecosystem for packages without a prefix. |
includeScorecard | boolean | true | Fetch OpenSSF Scorecard + GitHub stars. |
includeDownloads | boolean | false | Fetch monthly downloads (npm/PyPI). |
Package format
Each entry can be:
"express"— latest version, default ecosystem"express@4.18.2"— a specific version"pypi:django@3.0.0"— an explicit ecosystem"@babel/core@7.0.0"— scoped npm packages work too
Ecosystems: npm, pypi, cargo, go, maven, nuget, rubygems (aliases like pip, crates, gem are accepted).
Example input
{"packages": ["express@4.18.2","lodash@4.17.15","pypi:django@3.0.0","cargo:tokio@1.0.0","react"],"includeScorecard": true}
Risk levels
riskLevel reflects the most severe issue found:
- critical / high / medium / low — driven by the highest-severity known vulnerability (by CVSS).
- low — also used when there are no CVEs but the package is deprecated or end-of-life.
- none — no known vulnerabilities, not deprecated, not EOL.
Always read vulnerabilities, isDeprecated and eolStatus together for the full picture.
Use cases in detail
1. AI coding agents
Wire this in as a tool so your agent checks a package before recommending it: "should I use axios@0.21?" → the agent sees the CVE and suggests a safe version instead. Every import/require suggestion can be grounded in current data.
2. Supply-chain security / SCA
Feed a whole dependency list in one run and triage by riskLevel. Route high/critical to a human or block the build.
3. CI dependency review
On each PR, audit the added or upgraded packages and comment the vulnerabilities, license changes and deprecations back on the PR.
4. Tech-debt sweeps
List every dependency in a project and find the deprecated, end-of-life or badly-outdated ones to prioritise upgrades.
5. License compliance
The license field lets you flag copyleft or non-standard licenses across your dependency tree.
How to use it
- Click Try for free.
- Paste your packages into
packages. - Click Start.
- Read the results as JSON, CSV, Excel, or via the Apify API.
Audits run in parallel — a hundred packages finish in seconds.
Calling from the API
curl -X POST "https://api.apify.com/v2/acts/YOUR_ACTOR_ID/runs?token=YOUR_APIFY_TOKEN" \-H "Content-Type: application/json" \-d '{ "packages": ["express@4.18.2", "lodash@4.17.15", "pypi:django@3.0.0"] }'
Then fetch the dataset:
$curl "https://api.apify.com/v2/acts/YOUR_ACTOR_ID/runs/last/dataset/items?token=YOUR_APIFY_TOKEN"
Works with webhooks, Zapier, Make and n8n — wire it straight into CI or an agent workflow.
Frequently asked questions
Which ecosystems are supported? npm, PyPI, crates.io, Go, Maven, NuGet and RubyGems.
Where do the vulnerabilities come from? Public vulnerability and package databases are merged so each package gets CVEs, license, deprecation, scorecard and EOL in one record. Data is fetched live, so it reflects newly-published advisories.
What if I don't specify a version? The Actor audits the latest version and tells you what it is.
Does it handle scoped npm packages?
Yes — @babel/core@7.0.0 works.
What is the health score? The OpenSSF Scorecard (0–10), a widely-used measure of a project's security practices, plus GitHub stars for popularity.
Is EOL available for every package? End-of-life is reported for well-known runtimes and frameworks (Node, Python, Django, Rails, React, …). For other packages the field is empty.
Can an AI agent call this automatically? Yes — it's keyless and returns structured JSON, ideal as an agent/MCP tool.
Tips
- Audit whole lockfiles. Paste every dependency at once — it's far faster than one-by-one and gives you a single risk view.
- Pin the version you actually ship. Auditing
name@versionis precise; auditing justnamechecks the latest. - Use
riskLevelto gate. Sort or filter by it to surface the packages that need action first. - Keep the CVE links. Each vulnerability has a URL for the full advisory.
Notes
This Actor aggregates publicly available security and package metadata for informational and tooling purposes. Vulnerability data can lag real-world disclosure, and absence of a known CVE is not a guarantee of safety. Treat results as one input to your security process, not a substitute for a full security review. Verify critical findings against the official advisory.
Support
Want another ecosystem, deeper vulnerability detail, or an extra field? Open an issue from the Actor's page. Ship secure.