📦 deps.dev Package Insights Scraper

🚀 Pull open source package intelligence in seconds. Resolve the default version, licenses, security advisories, dependency graph, and publish date for any npm, PyPI, Cargo, Maven, Go, or NuGet package using Google's deps.dev API.

🕒 Last updated: 2026-06-04 · 📊 18 fields per record · 6 ecosystems · Powered by Google Open Source Insights

The deps.dev Package Insights Scraper turns Google's Open Source Insights data into a clean, structured feed of package facts. Give it an ecosystem and a list of package names, and it returns the resolved default version, the full version count, license identifiers, known security advisory keys, the resolved dependency graph, and the original publish time for each package, plus one row per resolved dependency.

It covers the npm (Node.js), PyPI (Python), Cargo (Rust), Maven (Java), Go (modules), and NuGet (.NET) ecosystems. All data comes straight from the public deps.dev v3 API, the same data that powers the deps.dev website, with no API key and no scraping of rendered pages.

🎯 Target Audience	💡 Primary Use Cases
Security and platform engineers	Auditing licenses and known advisories across a dependency list
Open source maintainers	Tracking version counts and publish cadence of packages
Data and supply chain teams	Building software bill of materials and dependency inventories
Developer tooling builders	Enriching package pages, dashboards, and internal catalogs

📋 What the deps.dev Package Insights Scraper does

• Looks up one or more packages in a chosen ecosystem (npm, PyPI, Cargo, Maven, Go, NuGet).
• Resolves the default or latest version flagged by deps.dev.
• Reports the total number of published versions for each package.
• Returns SPDX license identifiers for the default version.
• Lists known security advisory keys from OSV when the default version is affected.
• Resolves the dependency graph and counts the resolved dependencies.
• Emits one row per resolved dependency with its name, version, and relation.
• Captures the homepage and source repository links and the original publish time.

🎬 Full Demo (🚧 Coming soon)

⚙️ Input

The actor accepts an ecosystem and a list of package names. For Maven, names are written as group:artifact. For Go, use the full module path.

Field	Type	Required	Description
system	enum	Yes	Package ecosystem. One of npm, pypi, cargo, maven, go, nuget.
packages	array of strings	Yes	One or more package names in the chosen ecosystem.
maxItems	integer	No	Cap on output rows. Free plan is limited to 10.

Example 1 — npm packages:

{
    "system": "npm",
    "packages": ["react", "express"],
    "maxItems": 10
}

Example 2 — Maven packages by group:artifact:

{
    "system": "maven",
    "packages": ["com.google.guava:guava", "org.apache.commons:commons-lang3"],
    "maxItems": 25
}

⚠️ Good to Know: For Maven, the package name must be group:artifact. For Go, use the full module path such as github.com/gin-gonic/gin. License and advisory fields reflect the resolved default version, so a package can show an empty advisory list even if older versions had advisories.

📊 Output

Each package produces one summary row, followed by one row per resolved dependency.

Field	Description
🧩 recordType	package for a summary row or dependency for a resolved dependency
📦 name	Package name
🌐 system	Ecosystem (npm, pypi, cargo, maven, go, nuget)
🏷 defaultVersion	Resolved default or latest version
✅ isDefaultVersion	Whether this is the default version
🗑 isDeprecated	Whether the version is deprecated
🔢 versionCount	Total published versions
⚖️ licenses	SPDX license identifiers
🛡 advisoryKeys	Known OSV advisory identifiers
🔐 advisoryCount	Number of known advisories
🔗 dependencyCount	Number of resolved dependencies
🕒 publishedAt	Original publish timestamp
🏠 homepage	Project homepage link
💾 sourceRepo	Source repository link
🔗 url	deps.dev package page
👪 parentPackage	Parent package (dependency rows only)
🔀 relation	Dependency relation such as DIRECT (dependency rows only)
🕒 scrapedAt	Collection timestamp
❌ error	Error message when a lookup fails

Sample record 1 — npm react summary:

{
    "recordType": "package",
    "name": "react",
    "system": "npm",
    "defaultVersion": "19.2.7",
    "isDefaultVersion": true,
    "isDeprecated": false,
    "versionCount": 2821,
    "licenses": ["MIT"],
    "advisoryKeys": [],
    "advisoryCount": 0,
    "dependencyCount": 0,
    "publishedAt": "2026-06-01T18:00:48Z",
    "homepage": "https://react.dev/",
    "sourceRepo": "git+https://github.com/facebook/react.git",
    "url": "https://deps.dev/npm/react",
    "scrapedAt": "2026-06-04T19:46:33.940Z",
    "error": null
}

Sample record 2 — npm express summary:

{
    "recordType": "package",
    "name": "express",
    "system": "npm",
    "defaultVersion": "5.2.1",
    "isDefaultVersion": true,
    "isDeprecated": false,
    "versionCount": 288,
    "licenses": ["MIT"],
    "advisoryKeys": [],
    "advisoryCount": 0,
    "dependencyCount": 68,
    "publishedAt": "2025-12-01T20:49:43Z",
    "homepage": "https://expressjs.com/",
    "sourceRepo": "git+https://github.com/expressjs/express.git",
    "url": "https://deps.dev/npm/express",
    "scrapedAt": "2026-06-04T19:46:34.114Z",
    "error": null
}

Sample record 3 — a resolved dependency of express:

{
    "recordType": "dependency",
    "name": "accepts",
    "system": "npm",
    "defaultVersion": "2.0.0",
    "isDefaultVersion": false,
    "isDeprecated": false,
    "versionCount": null,
    "licenses": [],
    "advisoryKeys": [],
    "advisoryCount": null,
    "dependencyCount": null,
    "publishedAt": null,
    "homepage": null,
    "sourceRepo": null,
    "url": "https://deps.dev/npm/accepts",
    "parentPackage": "express",
    "relation": "DIRECT",
    "scrapedAt": "2026-06-04T19:46:34.139Z",
    "error": null
}

✨ Why choose this Actor

• Six ecosystems from a single, consistent output shape.
• License and advisory data sourced from Google Open Source Insights and OSV.
• Resolved dependency graph, not just declared manifest ranges.
• Keyless and free of rendered page scraping, so results are stable and fast.
• Clean, flat records that drop straight into a catalog or audit pipeline.

📈 How it compares to alternatives

Approach	License data	Advisories	Resolved deps	Multi ecosystem
This Actor	Yes	Yes	Yes	npm, PyPI, Cargo, Maven, Go, NuGet
Per registry API by hand	Partial	Rarely	No	One per registry
Manual deps.dev browsing	Yes	Yes	Yes	Slow and not structured

🚀 How to use

1. Create a free Apify account using this sign-up link.
2. Open the deps.dev Package Insights Scraper in the Apify Console.
3. Choose an ecosystem under system and add package names under packages.
4. Set maxItems if you want to cap the number of rows, then click Start.
5. Download the results once the run finishes, or pull them from the dataset API.

💼 Business use cases

Security and compliance

Need	How this helps
License audit	Collect SPDX identifiers across an approved package list
Advisory tracking	Flag packages whose default version carries a known OSV advisory

Supply chain inventory

Need	How this helps
Bill of materials	Resolve and list dependencies for each package
Footprint sizing	Compare dependency counts across candidate libraries

Developer tooling

Need	How this helps
Package pages	Enrich internal catalogs with version counts and links
Dashboards	Feed publish dates and license data into reporting

Open source research

Need	How this helps
Ecosystem study	Compare versioning cadence across npm, PyPI, Cargo, and more
Maintenance signals	Track deprecation flags and publish recency

🔌 Automating deps.dev Package Insights Scraper

• Make: Trigger a run and route records into a spreadsheet or database.
• Zapier: Start a scenario whenever a new dataset is produced.
• Slack: Post a message when a package shows a new advisory.
• Airbyte: Sync the dataset into your warehouse on a schedule.
• GitHub: Run the actor in a workflow to audit your dependency list on each release.
• Google Drive: Archive each run output for record keeping.

🌟 Beyond business use cases

• Research: Study license distribution and dependency depth across ecosystems.
• Personal: Vet a library before adding it to a side project.
• Non-profit: Maintain a lightweight inventory of the open source you rely on.
• Experimentation: Compare two candidate packages by version count and footprint.

🤖 Ask an AI assistant

Paste a record into ChatGPT, Claude, Perplexity, or Microsoft Copilot and ask it to summarize the license and advisory posture of a package or rank a set of candidates by dependency footprint.

❓ Frequently Asked Questions

Which ecosystems are supported? npm, PyPI, Cargo, Maven, Go, and NuGet.

Where does the data come from? The public deps.dev v3 API by Google, also known as Open Source Insights.

Do I need an API key for deps.dev? No. The deps.dev API is public and keyless.

How do I look up a Maven package? Use the group:artifact form, for example com.google.guava:guava.

How do I look up a Go module? Use the full module path, for example github.com/gin-gonic/gin.

What version does the actor report? The default version flagged by deps.dev, which is usually the latest stable release.

Why is the advisory list empty for a popular package? Advisories reflect the resolved default version. A patched current release can show an empty list even when older versions had advisories.

Why are some dependency rows missing license and version data? Dependency rows carry the resolved name, version, and relation. Full per package detail is only fetched for the packages you list in packages.

What does dependencyCount represent? The number of resolved dependencies in the graph for the default version, excluding the package itself.

Can I limit how many rows I get? Yes. Set maxItems. Free plans are capped at 10 rows.

Is this affiliated with Google or deps.dev? No. It is an independent tool that reads the public deps.dev API.

How fresh is the data? It reflects what deps.dev has indexed at the time of the run.

🔌 Integrate with any app

Every run writes to an Apify dataset you can pull through the Apify API or connect to Make, Zapier, n8n, and your own services. Schedule runs to keep an up to date view of your package list.

🔗 Recommended Actors

• npm Registry Scraper — package metadata straight from the npm registry.
• PyPI Packages Scraper — Python package details from PyPI.
• crates.io Rust Scraper — Rust crate metadata and stats.
• Maven Central Scraper — Java artifact data from Maven Central.
• Libraries.io Scraper — cross ecosystem package intelligence.

💡 Pro Tip: browse the complete ParseForge collection.

🆘 Need Help? Open our contact form

⚠️ Disclaimer: independent tool, not affiliated with Google or deps.dev. Only publicly available data is collected.