npm Package Health Score API — Dependency Risk Scorer avatar

npm Package Health Score API — Dependency Risk Scorer

Pricing

from $6.00 / 1,000 results

Go to Apify Store
npm Package Health Score API — Dependency Risk Scorer

npm Package Health Score API — Dependency Risk Scorer

npm package health score API. Rate any npm dependency 0-100 with a letter grade from keyless public signals: downloads, release recency & cadence, maintainers, license, deprecation, deps. One row per package with top risks. Keyless. A clean MCP tool for AI coding agents.

Pricing

from $6.00 / 1,000 results

Rating

0.0

(0)

Developer

Kyle Maloney

Kyle Maloney

Maintained by Community

Actor stats

0

Bookmarked

1

Total users

0

Monthly active users

3 days ago

Last modified

Share

Score the health of any npm package from 0 to 100 with a letter grade, using only keyless, public signals. Give it a list of package names and get back one clean, structured row per package — a composite health_score, a grade, the biggest top_risks, and every underlying signal — so engineers and AI coding agents can decide whether a dependency is safe to adopt.

No API key. No login. No GitHub token required.

Who it's for

  • Engineering & platform teams vetting a new dependency before npm install, or auditing an existing package.json for stale / risky packages.
  • Security & supply-chain reviewers who need a fast, repeatable risk signal (deprecation, single-maintainer bus-factor, abandoned packages, heavy dependency surface).
  • AI coding agents (Claude, Cursor, Copilot-style tools) that need a callable tool to judge a package before recommending or installing it. See "Use as an MCP tool" below.
  • Tech-radar / SRE / OSS-program-office dashboards tracking the health of the libraries you depend on.

Data sources (all keyless, official)

  • npm registryhttps://registry.npmjs.org/<package> (versions, publish timestamps, maintainers, license, deprecation, dependencies).
  • npm downloads APIhttps://api.npmjs.org/downloads/range/last-month/<package> (last-30-day download counts + momentum).

Example input

{
"packages": ["express", "lodash", "left-pad", "@babel/core"],
"includeTrend": true
}

You can also score a single package with { "package": "react" }, or paste a comma-separated string into packages.

Output fields (one row per package)

FieldMeaning
packagePackage name scored
latest_versionVersion tagged latest
health_scoreComposite 0–100 (null if not found)
gradeA / B / C / D / F
last_publish_dateLatest publish (YYYY-MM-DD)
days_since_publishDays since the latest release
publishes_last_2yRelease cadence over 2 years
downloads_last_monthTotal downloads, last 30 days
download_trend_pctMomentum: 2nd-half vs 1st-half of last 30 days
maintainersRegistered maintainer count
licenseDeclared SPDX license (or null)
deprecatedTrue if the latest version is deprecated
dependencies_countRuntime dependencies of the latest version
top_risksArray of the biggest risks detected
rationaleOne-line human summary of positives/negatives
sub_scoresThe eight weighted sub-scores
source_urlnpmjs.com page
retrieved_atISO timestamp of the scoring run

How the score is computed (weights)

The composite is a weighted average of eight 0–100 sub-scores:

SignalWeightRewards
download_volume25%High last-month downloads (log-scaled)
release_recency20%A recent publish (fresh in the last 30 days = 100; 2+ years stale = 0)
release_cadence15%Regular releases (~8 in 2 years saturates to 100)
download_trend10%Growing, not declining, downloads
maintainer_count10%More than one maintainer (bus-factor)
license10%A declared, permissive license
version_maturity5%A >= 1.0.0 release
dependency_count5%Fewer runtime dependencies

Deprecation is a hard penalty: any package whose latest version is marked deprecated on npm is capped at a score of 20 (grade F), regardless of its other signals.

Grade thresholds: A ≥ 85 · B ≥ 70 · C ≥ 55 · D ≥ 40 · F < 40.

Use as an MCP tool

This Actor is a prime tool for AI agents. Exposed through mcp.apify.com, an agent can call it to score a dependency it's about to recommend or install. The input is a simple list of package names and every output field carries a description, so the model can read health_score, grade, deprecated, and top_risks directly and chain the result into a decision ("is this package safe to add?"). Pair it with a lockfile/SBOM tool to score an entire dependency tree.

FAQ

How do I check if an npm package is healthy or safe to use? Pass the package name; read health_score, grade, and top_risks. Low scores flag stale, deprecated, single-maintainer, or low-adoption packages.

How do I detect deprecated or abandoned npm packages? deprecated: true marks npm-deprecated packages; a large days_since_publish with publishes_last_2y: 0 flags abandoned ones. Both drag the score down.

Does it need a GitHub token or npm login? No. It only uses the public, keyless npm registry and downloads APIs.

Can it score scoped packages (@scope/name)? Yes — scoped packages are fully supported.

Can an AI agent call this? Yes — it's designed as a chainable MCP tool (see above).

Pricing

Pay per result: one scored package = one dataset item. Empty runs cost only the tiny actor start. No hidden per-signal charges.