# Dependency Supply-Chain Risk Audit (`scrapeworks/dependency-risk-audit`) Actor Audit your package.json or requirements.txt for supply-chain risk: known vulnerabilities (OSV), deprecated/abandoned packages, and a project-level risk score. - **URL**: https://apify.com/scrapeworks/dependency-risk-audit.md - **Developed by:** [Nicolas van Arkens](https://apify.com/scrapeworks) (community) - **Categories:** Developer tools, Other - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $1.00 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Dependency Supply-Chain Risk Audit 🛡️ Paste your **`package.json`** or **`requirements.txt`** and get a complete supply-chain risk report for every dependency — **known vulnerabilities**, **deprecated and abandoned packages**, stale releases, and licensing gaps — rolled up into one **project-level risk verdict**. Most package scrapers hand you raw metadata for one package at a time. This audits your **whole dependency list at once** and tells you what actually matters: *is my project safe to ship?* ### What it checks per dependency - 🚨 **Known vulnerabilities** — cross-referenced against the [OSV database](https://osv.dev) (CVEs and security advisories across npm and PyPI) - ⚰️ **Deprecated / yanked** packages — flagged as hard risks - 🕒 **Staleness** — packages with no release in 1, 2, or 3+ years - 📜 **Licensing** — missing or unclear licenses - 🔗 **Source repo** — the linked GitHub/source URL for deeper review Each dependency gets a **0-100 risk score** and a level (Minimal → Low → Medium → High → Critical), with concrete flags explaining why. ### Project-level summary The first result is an aggregate verdict for the whole project: ```json { "recordType": "project_summary", "projectRiskLevel": "Critical", "totalDependencies": 42, "vulnerableDependencies": 3, "deprecatedDependencies": 2, "staleDependencies": 5, "riskBreakdown": { "Critical": 1, "High": 2, "Medium": 4, "Low": 6, "Minimal": 29 }, "summary": "42 dependencies analyzed: 3 with known vulnerabilities, 2 deprecated, 5 stale. Overall risk: Critical." } ```` ### Use cases - **Pre-deployment security gate** — audit dependencies before every release - **Tech due diligence** — assess a codebase's supply-chain exposure - **Continuous monitoring** — schedule it to re-audit and catch newly-disclosed CVEs or freshly-deprecated packages - **Dependency cleanup** — find the abandoned and risky packages to replace ### Input | Field | Description | |-------|-------------| | **Manifest contents** | Paste a full `package.json` or `requirements.txt`. | | **Manifest type** | Auto-detect, or force npm / PyPI. | | **Check vulnerabilities** | Toggle the OSV vulnerability lookup. | | **Max dependencies** | Cap how many to audit. | ### Output One `project_summary` record, then one record per dependency with its risk score, level, vulnerability count, flags, version, release date, license, and repo link. Export to JSON, CSV, or Excel, or pull via the Apify API — wire it into CI, Slack, or Sheets for automated alerts. ### Notes on the vulnerability data Vulnerability checks use the free, public **OSV.dev** API maintained by Google's open-source security team, covering npm and PyPI advisories. If the vulnerability service is briefly unavailable, the audit still completes using health signals and clearly marks which packages were scored without vulnerability data — the run never fails because of it. The risk score is a transparent heuristic to help you prioritize review, not a security guarantee. Always combine it with your own judgment for critical systems. Independent tool; not affiliated with npm, PyPI, GitHub, or OSV. # Actor input Schema ## `manifestText` (type: `string`): Paste the full contents of your package.json (npm) or requirements.txt (Python/PyPI). Every dependency listed will be audited for vulnerabilities and health. ## `manifestType` (type: `string`): How to interpret the pasted manifest. 'auto' detects package.json (starts with '{') vs requirements.txt. ## `checkVulnerabilities` (type: `boolean`): Cross-reference each dependency against the OSV vulnerability database for known CVEs/advisories. Adds one lookup per package. If disabled, packages are scored on health signals only. ## `maxDependencies` (type: `integer`): Cap on how many dependencies to audit from the manifest. ## Actor input object example ```json { "manifestText": "{\n \"dependencies\": {\n \"express\": \"^4.18.0\",\n \"left-pad\": \"1.3.0\",\n \"lodash\": \"^4.17.21\"\n }\n}", "manifestType": "auto", "checkVulnerabilities": true, "maxDependencies": 200 } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "manifestText": `{ "dependencies": { "express": "^4.18.0", "left-pad": "1.3.0", "lodash": "^4.17.21" } }` }; // Run the Actor and wait for it to finish const run = await client.actor("scrapeworks/dependency-risk-audit").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "manifestText": """{ \"dependencies\": { \"express\": \"^4.18.0\", \"left-pad\": \"1.3.0\", \"lodash\": \"^4.17.21\" } }""" } # Run the Actor and wait for it to finish run = client.actor("scrapeworks/dependency-risk-audit").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "manifestText": "{\\n \\"dependencies\\": {\\n \\"express\\": \\"^4.18.0\\",\\n \\"left-pad\\": \\"1.3.0\\",\\n \\"lodash\\": \\"^4.17.21\\"\\n }\\n}" }' | apify call scrapeworks/dependency-risk-audit --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=scrapeworks/dependency-risk-audit", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Dependency Supply-Chain Risk Audit", "description": "Audit your package.json or requirements.txt for supply-chain risk: known vulnerabilities (OSV), deprecated/abandoned packages, and a project-level risk score.", "version": "0.1", "x-build-id": "Dke64QeyFJaKoiiCU" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/scrapeworks~dependency-risk-audit/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-scrapeworks-dependency-risk-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/scrapeworks~dependency-risk-audit/runs": { "post": { "operationId": "runs-sync-scrapeworks-dependency-risk-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/scrapeworks~dependency-risk-audit/run-sync": { "post": { "operationId": "run-sync-scrapeworks-dependency-risk-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "manifestText": { "title": "Manifest file contents", "type": "string", "description": "Paste the full contents of your package.json (npm) or requirements.txt (Python/PyPI). Every dependency listed will be audited for vulnerabilities and health." }, "manifestType": { "title": "Manifest type", "enum": [ "auto", "package.json", "requirements.txt" ], "type": "string", "description": "How to interpret the pasted manifest. 'auto' detects package.json (starts with '{') vs requirements.txt.", "default": "auto" }, "checkVulnerabilities": { "title": "Check known vulnerabilities (OSV)", "type": "boolean", "description": "Cross-reference each dependency against the OSV vulnerability database for known CVEs/advisories. Adds one lookup per package. If disabled, packages are scored on health signals only.", "default": true }, "maxDependencies": { "title": "Maximum dependencies", "minimum": 1, "maximum": 2000, "type": "integer", "description": "Cap on how many dependencies to audit from the manifest.", "default": 200 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```