Developer Signal Monitor avatar

Developer Signal Monitor

Pricing

Pay per usage

Go to Apify Store
Developer Signal Monitor

Developer Signal Monitor

Monitor public npm packages, maintainers, package license changes, GitHub releases, OSV/SBOM advisories, and Docker tags for developer signals.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

X L

X L

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

6 days ago

Last modified

Share

Monitor public npm packages, SDK compatibility surfaces, OSV.dev package vulnerabilities, CycloneDX SBOM vulnerability records, GitHub releases, GitHub repository security advisories, and Docker Hub image tags for new developer ecosystem, release-note digest, vulnerability, container, and supply-chain signals.

This Actor is designed for low-support scheduled monitoring:

  • no login required for public npm package metadata
  • no login required for OSV.dev public vulnerability metadata
  • no login required for public CycloneDX JSON SBOM vulnerability parsing
  • no login required for public GitHub release metadata
  • no login required for public GitHub repository security advisory metadata
  • no login required for public Docker Hub tag metadata
  • outputs structured NEW, SEEN, and ERROR rows
  • adds a normalized developer risk queue with developerRiskScore, developerRiskSeverity, developerRiskReasons, developerActionHints, developerActionPriority, and chargeableCandidate
  • adds npm supply-chain metadata such as maintainer count, license posture, dependency count, deprecation status, unpacked size, release age, integrity hash, shasum, registry signatures, attestation URL, and provenance risk flags
  • tracks npm license fingerprints so scheduled runs can detect license drift even when the latest version is unchanged
  • adds SDK upgrade compatibility metadata such as TypeScript types, ESM/package type, exports map, Node engine range, peer dependencies, optional dependencies, CLI bins, browser field, and action hints
  • tracks npm maintainer fingerprints and maintainer email domains so scheduled runs can catch maintainer drift even when the latest version is unchanged
  • adds OSV vulnerability metadata such as OSV ID, aliases, CVEs, severity, affected package/ecosystem/ranges, affected version count, references, withdrawn status, and mitigation hints
  • adds SBOM vulnerability metadata from CycloneDX JSON documents, including CVEs, severity, affected refs/components/versions, analysis state, remediation hints, and advisory URLs
  • adds GitHub release-note digest metrics for breaking, security, fix, feature, CVE, migration, deprecation, configuration, and impact-area signals
  • adds GitHub release digest severity such as SECURITY, BREAKING, FEATURE, or FIX
  • adds GitHub security advisory metadata such as GHSA, CVE, severity, CVSS, CWE, affected ecosystem/package, vulnerable ranges, patched versions, vulnerable functions, and mitigation hints
  • adds Docker image tag/digest metadata such as latest non-latest tag, digest, digest-backed signal ID, digest coverage, unpinned tags, digest alias groups, size, tag channel, tag status, recent tags, mutable tags, floating-tag risk, prerelease risk, digest-pinning status, digest drift watch, and action hints
  • includes SDK Package Watchlist, Release Digest Watchlist, GitHub Security Advisory Watchlist, OSV Vulnerability Watchlist, SBOM Vulnerability Watchlist, and Docker Tag Watchlist report sections for scheduled monitoring
  • stores a snapshot key so scheduled runs can detect new signals
  • future PPE boundary: developer-signal-alert

Inputs

  • npmPackages: npm packages to check, such as apify or crawlee
  • osvPackages: npm packages to check against OSV.dev; defaults to empty to avoid extra OSV API calls unless explicitly enabled
  • sbomUrls: public CycloneDX JSON SBOM URLs to parse for embedded vulnerability records; defaults to empty to avoid extra network calls unless explicitly enabled
  • githubRepos: public repositories in owner/name form
  • githubAdvisoryRepos: public repositories in owner/name form to check for repository security advisories; defaults to empty to avoid extra GitHub API calls
  • dockerImages: public Docker Hub image names, such as node or apify/actor-node
  • alertKeywords: words that make a new package or release signal alert-worthy
  • previousSignalIds: optional IDs from a prior run
  • snapshotKey: key-value-store record for scheduled monitoring

Quick-Start Presets

Copy one of these low-cost JSON inputs into the Apify input editor and replace the example packages, repositories, or images with the assets your team ships:

  • examples/presets/sdk-release-risk-watch.json: two npm SDK packages plus two GitHub release feeds for breaking/security/migration release monitoring.
  • examples/presets/container-digest-drift-watch.json: two Docker Hub images for tag, digest, mutable-tag, floating-tag, and low-digest-coverage monitoring.
  • examples/presets/supply-chain-security-posture.json: two npm packages plus explicit OSV checks for vulnerability, maintainer, license, and provenance posture.

Each preset uses a unique snapshotKey, enables saveSnapshot, keeps every target list to 2 items or fewer, and leaves optional SBOM/advisory inputs empty unless the workflow needs them.

Output

Dataset rows include:

  • status
  • alert
  • priority
  • source
  • target
  • signalType
  • version
  • title
  • url
  • publishedAt
  • releaseAgeDays
  • npm metadata: license, maintainerCount, dependencyCount, peerDependencyCount, optionalDependencyCount, packageDeprecated, deprecatedMessage, unpackedSize
  • npm maintainer metadata: maintainers, maintainerFingerprint, maintainerDomains, and maintainerDomainCount
  • npm provenance metadata: npmIntegrity, npmShasum, npmSignatureCount, npmSignatureKeyIds, npmAttestationUrl, npmProvenancePresent, npmProvenanceSignals, npmProvenanceRiskFlags, npmProvenanceActionHints, and npmProvenanceRiskScore
  • npm license metadata: licenseRaw, licenseNormalized, licenseCategory, licenseSignalId, licenseRiskFlags, licenseActionHints, and licenseRiskScore
  • SDK compatibility metadata: packageType, mainEntrypoint, moduleEntrypoint, typesEntrypoint, nodeEngine, hasExportsMap, binCount, sdkPackageCandidate, sdkKeywordHits, sdkSurfaceSignals, sdkCompatibilityRiskSignals, sdkActionHints, sdkCompatibilityRiskScore
  • OSV vulnerability metadata: osvId, osvAliases, osvCves, osvSeverity, osvSeverityScore, osvAffectedPackage, osvAffectedPackages, osvAffectedEcosystems, osvAffectedRanges, osvAffectedVersionsCount, osvReferenceCount, osvWithdrawn, osvRiskSignals, osvActionHints, osvRiskScore
  • SBOM vulnerability metadata: sbomFormat, sbomSerialNumber, sbomVersion, sbomComponentCount, sbomVulnerabilityId, sbomAliases, sbomCves, sbomSeverity, sbomSeverityScore, sbomCwes, sbomAffectedRefs, sbomAffectedComponents, sbomAffectedVersions, sbomAdvisoryUrls, sbomAnalysisState, sbomRecommendation, sbomRiskSignals, sbomActionHints, sbomRiskScore
  • GitHub release-note digest metadata: releaseNotesDigest, releaseDigestSeverity, releaseNoteKeywordHits, releaseCves, releaseImpactAreas, releaseRiskSignals, releaseActionHints, releaseRiskScore
  • GitHub advisory metadata: advisoryGhsaId, advisoryCveId, advisorySeverity, advisoryState, advisoryCvssScore, advisoryCvssVector, advisoryCwes, advisoryEcosystems, advisoryPackages, advisoryVulnerableRanges, advisoryPatchedVersions, advisoryVulnerableFunctions, advisoryReferenceCount, advisoryWithdrawn, advisoryRiskSignals, advisoryActionHints, advisoryRiskScore
  • Docker image metadata: imageSize, imageDigest, dockerTagChannel, dockerObservedTags, dockerObservedDigests, dockerUniqueDigestCount, dockerDigestCoveragePct, dockerUnpinnedTags, dockerDigestAliasGroups, dockerDigestSignalId, dockerDigestDriftWatch, dockerMutableTags, dockerFloatingTag, dockerPrereleaseTag, dockerDigestPinned, dockerTagRiskSignals, dockerTagRiskScore, dockerDigestRiskSignals, dockerDigestActionHints, dockerDigestRiskScore, tagStatus
  • matchedKeywords
  • reasons
  • normalized developer risk fields: developerRiskScore, developerRiskSeverity, developerRiskReasons, developerActionHints, developerActionPriority, and chargeableCandidate
  • ppeEventCandidate

Local validation

npm test
npm run sample

The report includes a Top Developer Risks section so security, breaking-change, SDK compatibility, license, provenance, OSV, SBOM, advisory, and Docker drift signals can be triaged without inspecting raw dataset rows.

The first release should be free or usage-cost-only. Add PPE only after real usage proves people want alert rows. Strong future paid units are SDK upgrade compatibility alerts, ESM/exports-map/Node-engine/peer-dependency SDK alerts, npm provenance/integrity alerts, npm license drift and license-risk alerts, OSV vulnerability alerts, OSV CVE/high/no-fixed alerts, SBOM vulnerability alerts, SBOM CVE/high/no-remediation/open-analysis alerts, new security/breaking release alerts, GitHub security advisory alerts, high/CVSS/CVE advisory alerts, unpatched advisory alerts, release-note digest alerts with CVE or migration action hints, Docker image tag alerts, Docker digest drift alerts, Docker unpinned/low-coverage digest alerts, Docker mutable/floating tag risk alerts, npm maintainer drift alerts, deprecated npm package alerts, packages with no listed maintainers, and old-release supply-chain risk alerts.