npm Package Health Score API — Dependency Risk Scorer
Pricing
from $6.00 / 1,000 results
npm Package Health Score API — Dependency Risk Scorer
npm package health score API. Rate any npm dependency 0-100 with a letter grade from keyless public signals: downloads, release recency & cadence, maintainers, license, deprecation, deps. One row per package with top risks. Keyless. A clean MCP tool for AI coding agents.
Pricing
from $6.00 / 1,000 results
Rating
0.0
(0)
Developer
Kyle Maloney
Maintained by CommunityActor stats
0
Bookmarked
1
Total users
0
Monthly active users
3 days ago
Last modified
Categories
Share
Score the health of any npm package from 0 to 100 with a letter grade, using
only keyless, public signals. Give it a list of package names and get back one
clean, structured row per package — a composite health_score, a grade, the
biggest top_risks, and every underlying signal — so engineers and AI coding
agents can decide whether a dependency is safe to adopt.
No API key. No login. No GitHub token required.
Who it's for
- Engineering & platform teams vetting a new dependency before
npm install, or auditing an existingpackage.jsonfor stale / risky packages. - Security & supply-chain reviewers who need a fast, repeatable risk signal (deprecation, single-maintainer bus-factor, abandoned packages, heavy dependency surface).
- AI coding agents (Claude, Cursor, Copilot-style tools) that need a callable tool to judge a package before recommending or installing it. See "Use as an MCP tool" below.
- Tech-radar / SRE / OSS-program-office dashboards tracking the health of the libraries you depend on.
Data sources (all keyless, official)
- npm registry —
https://registry.npmjs.org/<package>(versions, publish timestamps, maintainers, license, deprecation, dependencies). - npm downloads API —
https://api.npmjs.org/downloads/range/last-month/<package>(last-30-day download counts + momentum).
Example input
{"packages": ["express", "lodash", "left-pad", "@babel/core"],"includeTrend": true}
You can also score a single package with { "package": "react" }, or paste a
comma-separated string into packages.
Output fields (one row per package)
| Field | Meaning |
|---|---|
package | Package name scored |
latest_version | Version tagged latest |
health_score | Composite 0–100 (null if not found) |
grade | A / B / C / D / F |
last_publish_date | Latest publish (YYYY-MM-DD) |
days_since_publish | Days since the latest release |
publishes_last_2y | Release cadence over 2 years |
downloads_last_month | Total downloads, last 30 days |
download_trend_pct | Momentum: 2nd-half vs 1st-half of last 30 days |
maintainers | Registered maintainer count |
license | Declared SPDX license (or null) |
deprecated | True if the latest version is deprecated |
dependencies_count | Runtime dependencies of the latest version |
top_risks | Array of the biggest risks detected |
rationale | One-line human summary of positives/negatives |
sub_scores | The eight weighted sub-scores |
source_url | npmjs.com page |
retrieved_at | ISO timestamp of the scoring run |
How the score is computed (weights)
The composite is a weighted average of eight 0–100 sub-scores:
| Signal | Weight | Rewards |
|---|---|---|
download_volume | 25% | High last-month downloads (log-scaled) |
release_recency | 20% | A recent publish (fresh in the last 30 days = 100; 2+ years stale = 0) |
release_cadence | 15% | Regular releases (~8 in 2 years saturates to 100) |
download_trend | 10% | Growing, not declining, downloads |
maintainer_count | 10% | More than one maintainer (bus-factor) |
license | 10% | A declared, permissive license |
version_maturity | 5% | A >= 1.0.0 release |
dependency_count | 5% | Fewer runtime dependencies |
Deprecation is a hard penalty: any package whose latest version is marked
deprecated on npm is capped at a score of 20 (grade F), regardless of its
other signals.
Grade thresholds: A ≥ 85 · B ≥ 70 · C ≥ 55 · D ≥ 40 · F < 40.
Use as an MCP tool
This Actor is a prime tool for AI agents. Exposed through
mcp.apify.com, an agent can call it to score a dependency
it's about to recommend or install. The input is a simple list of package names
and every output field carries a description, so the model can read
health_score, grade, deprecated, and top_risks directly and chain the
result into a decision ("is this package safe to add?"). Pair it with a
lockfile/SBOM tool to score an entire dependency tree.
FAQ
How do I check if an npm package is healthy or safe to use?
Pass the package name; read health_score, grade, and top_risks. Low scores
flag stale, deprecated, single-maintainer, or low-adoption packages.
How do I detect deprecated or abandoned npm packages?
deprecated: true marks npm-deprecated packages; a large days_since_publish
with publishes_last_2y: 0 flags abandoned ones. Both drag the score down.
Does it need a GitHub token or npm login? No. It only uses the public, keyless npm registry and downloads APIs.
Can it score scoped packages (@scope/name)?
Yes — scoped packages are fully supported.
Can an AI agent call this? Yes — it's designed as a chainable MCP tool (see above).
Pricing
Pay per result: one scored package = one dataset item. Empty runs cost only the tiny actor start. No hidden per-signal charges.