Developer Signal Monitor
Pricing
Pay per usage
Developer Signal Monitor
Monitor public npm packages, maintainers, package license changes, GitHub releases, OSV/SBOM advisories, and Docker tags for developer signals.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
X L
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
6 days ago
Last modified
Categories
Share
Monitor public npm packages, SDK compatibility surfaces, OSV.dev package vulnerabilities, CycloneDX SBOM vulnerability records, GitHub releases, GitHub repository security advisories, and Docker Hub image tags for new developer ecosystem, release-note digest, vulnerability, container, and supply-chain signals.
This Actor is designed for low-support scheduled monitoring:
- no login required for public npm package metadata
- no login required for OSV.dev public vulnerability metadata
- no login required for public CycloneDX JSON SBOM vulnerability parsing
- no login required for public GitHub release metadata
- no login required for public GitHub repository security advisory metadata
- no login required for public Docker Hub tag metadata
- outputs structured
NEW,SEEN, andERRORrows - adds a normalized developer risk queue with
developerRiskScore,developerRiskSeverity,developerRiskReasons,developerActionHints,developerActionPriority, andchargeableCandidate - adds npm supply-chain metadata such as maintainer count, license posture, dependency count, deprecation status, unpacked size, release age, integrity hash, shasum, registry signatures, attestation URL, and provenance risk flags
- tracks npm license fingerprints so scheduled runs can detect license drift even when the latest version is unchanged
- adds SDK upgrade compatibility metadata such as TypeScript types, ESM/package type, exports map, Node engine range, peer dependencies, optional dependencies, CLI bins, browser field, and action hints
- tracks npm maintainer fingerprints and maintainer email domains so scheduled runs can catch maintainer drift even when the latest version is unchanged
- adds OSV vulnerability metadata such as OSV ID, aliases, CVEs, severity, affected package/ecosystem/ranges, affected version count, references, withdrawn status, and mitigation hints
- adds SBOM vulnerability metadata from CycloneDX JSON documents, including CVEs, severity, affected refs/components/versions, analysis state, remediation hints, and advisory URLs
- adds GitHub release-note digest metrics for breaking, security, fix, feature, CVE, migration, deprecation, configuration, and impact-area signals
- adds GitHub release digest severity such as
SECURITY,BREAKING,FEATURE, orFIX - adds GitHub security advisory metadata such as GHSA, CVE, severity, CVSS, CWE, affected ecosystem/package, vulnerable ranges, patched versions, vulnerable functions, and mitigation hints
- adds Docker image tag/digest metadata such as latest non-
latesttag, digest, digest-backed signal ID, digest coverage, unpinned tags, digest alias groups, size, tag channel, tag status, recent tags, mutable tags, floating-tag risk, prerelease risk, digest-pinning status, digest drift watch, and action hints - includes
SDK Package Watchlist,Release Digest Watchlist,GitHub Security Advisory Watchlist,OSV Vulnerability Watchlist,SBOM Vulnerability Watchlist, andDocker Tag Watchlistreport sections for scheduled monitoring - stores a snapshot key so scheduled runs can detect new signals
- future PPE boundary:
developer-signal-alert
Inputs
npmPackages: npm packages to check, such asapifyorcrawleeosvPackages: npm packages to check against OSV.dev; defaults to empty to avoid extra OSV API calls unless explicitly enabledsbomUrls: public CycloneDX JSON SBOM URLs to parse for embedded vulnerability records; defaults to empty to avoid extra network calls unless explicitly enabledgithubRepos: public repositories inowner/nameformgithubAdvisoryRepos: public repositories inowner/nameform to check for repository security advisories; defaults to empty to avoid extra GitHub API callsdockerImages: public Docker Hub image names, such asnodeorapify/actor-nodealertKeywords: words that make a new package or release signal alert-worthypreviousSignalIds: optional IDs from a prior runsnapshotKey: key-value-store record for scheduled monitoring
Quick-Start Presets
Copy one of these low-cost JSON inputs into the Apify input editor and replace the example packages, repositories, or images with the assets your team ships:
examples/presets/sdk-release-risk-watch.json: two npm SDK packages plus two GitHub release feeds for breaking/security/migration release monitoring.examples/presets/container-digest-drift-watch.json: two Docker Hub images for tag, digest, mutable-tag, floating-tag, and low-digest-coverage monitoring.examples/presets/supply-chain-security-posture.json: two npm packages plus explicit OSV checks for vulnerability, maintainer, license, and provenance posture.
Each preset uses a unique snapshotKey, enables saveSnapshot, keeps every target list to 2 items or fewer, and leaves optional SBOM/advisory inputs empty unless the workflow needs them.
Output
Dataset rows include:
statusalertprioritysourcetargetsignalTypeversiontitleurlpublishedAtreleaseAgeDays- npm metadata:
license,maintainerCount,dependencyCount,peerDependencyCount,optionalDependencyCount,packageDeprecated,deprecatedMessage,unpackedSize - npm maintainer metadata:
maintainers,maintainerFingerprint,maintainerDomains, andmaintainerDomainCount - npm provenance metadata:
npmIntegrity,npmShasum,npmSignatureCount,npmSignatureKeyIds,npmAttestationUrl,npmProvenancePresent,npmProvenanceSignals,npmProvenanceRiskFlags,npmProvenanceActionHints, andnpmProvenanceRiskScore - npm license metadata:
licenseRaw,licenseNormalized,licenseCategory,licenseSignalId,licenseRiskFlags,licenseActionHints, andlicenseRiskScore - SDK compatibility metadata:
packageType,mainEntrypoint,moduleEntrypoint,typesEntrypoint,nodeEngine,hasExportsMap,binCount,sdkPackageCandidate,sdkKeywordHits,sdkSurfaceSignals,sdkCompatibilityRiskSignals,sdkActionHints,sdkCompatibilityRiskScore - OSV vulnerability metadata:
osvId,osvAliases,osvCves,osvSeverity,osvSeverityScore,osvAffectedPackage,osvAffectedPackages,osvAffectedEcosystems,osvAffectedRanges,osvAffectedVersionsCount,osvReferenceCount,osvWithdrawn,osvRiskSignals,osvActionHints,osvRiskScore - SBOM vulnerability metadata:
sbomFormat,sbomSerialNumber,sbomVersion,sbomComponentCount,sbomVulnerabilityId,sbomAliases,sbomCves,sbomSeverity,sbomSeverityScore,sbomCwes,sbomAffectedRefs,sbomAffectedComponents,sbomAffectedVersions,sbomAdvisoryUrls,sbomAnalysisState,sbomRecommendation,sbomRiskSignals,sbomActionHints,sbomRiskScore - GitHub release-note digest metadata:
releaseNotesDigest,releaseDigestSeverity,releaseNoteKeywordHits,releaseCves,releaseImpactAreas,releaseRiskSignals,releaseActionHints,releaseRiskScore - GitHub advisory metadata:
advisoryGhsaId,advisoryCveId,advisorySeverity,advisoryState,advisoryCvssScore,advisoryCvssVector,advisoryCwes,advisoryEcosystems,advisoryPackages,advisoryVulnerableRanges,advisoryPatchedVersions,advisoryVulnerableFunctions,advisoryReferenceCount,advisoryWithdrawn,advisoryRiskSignals,advisoryActionHints,advisoryRiskScore - Docker image metadata:
imageSize,imageDigest,dockerTagChannel,dockerObservedTags,dockerObservedDigests,dockerUniqueDigestCount,dockerDigestCoveragePct,dockerUnpinnedTags,dockerDigestAliasGroups,dockerDigestSignalId,dockerDigestDriftWatch,dockerMutableTags,dockerFloatingTag,dockerPrereleaseTag,dockerDigestPinned,dockerTagRiskSignals,dockerTagRiskScore,dockerDigestRiskSignals,dockerDigestActionHints,dockerDigestRiskScore,tagStatus matchedKeywordsreasons- normalized developer risk fields:
developerRiskScore,developerRiskSeverity,developerRiskReasons,developerActionHints,developerActionPriority, andchargeableCandidate ppeEventCandidate
Local validation
npm testnpm run sample
The report includes a Top Developer Risks section so security, breaking-change, SDK compatibility, license, provenance, OSV, SBOM, advisory, and Docker drift signals can be triaged without inspecting raw dataset rows.
The first release should be free or usage-cost-only. Add PPE only after real usage proves people want alert rows. Strong future paid units are SDK upgrade compatibility alerts, ESM/exports-map/Node-engine/peer-dependency SDK alerts, npm provenance/integrity alerts, npm license drift and license-risk alerts, OSV vulnerability alerts, OSV CVE/high/no-fixed alerts, SBOM vulnerability alerts, SBOM CVE/high/no-remediation/open-analysis alerts, new security/breaking release alerts, GitHub security advisory alerts, high/CVSS/CVE advisory alerts, unpatched advisory alerts, release-note digest alerts with CVE or migration action hints, Docker image tag alerts, Docker digest drift alerts, Docker unpinned/low-coverage digest alerts, Docker mutable/floating tag risk alerts, npm maintainer drift alerts, deprecated npm package alerts, packages with no listed maintainers, and old-release supply-chain risk alerts.