PyPI Package Dependency Intelligence

Analyze Python packages from the official PyPI JSON API and export flattened rows for package summaries, release cadence, dependency declarations, maintainer hints, optional download stats, and optional OSV vulnerability signals.

This actor is built for direct package watchlists. It does not scrape PyPI HTML search pages.

Inputs

Field	Default	Notes
packages	required	PyPI package names such as requests, fastapi, django, or numpy.
includeReleaseHistory	true	Emit release_version rows.
includeDownloadStats	false	Add recent counts from pypistats.org when available.
includeVulnerabilities	false	Add OSV advisory summaries.
maxReleaseRowsPerPackage	100	Cap release rows per package.
maxDependencyRowsPerPackage	250	Cap dependency rows per package.
concurrency	5	Parallel package fetches.
timeoutMs	15000	Per-request timeout in ms.
delivery	dataset	dataset or webhook.
webhookUrl	empty	Required when delivery=webhook.
dryRun	false	Skip dataset and webhook delivery.

Dataset Rows

The dataset is flattened so it can be filtered and joined without unpacking one large object.

package_summary

• packageName, normalizedPackageName, requestedName, status
• version, summary, license, requiresPython
• author, authorEmail, maintainer, maintainerEmail
• homePage, sourceUrl, issueTrackerUrl, projectUrls
• releaseCount, firstReleaseAt, latestReleaseAt, releaseCadenceDays
• dependencyCount, emittedDependencyCount
• downloadLastDay, downloadLastWeek, downloadLastMonth when enabled
• vulnerabilityCount, vulnerabilities when enabled
• contactHints, warnings, fetchedAt

release_version

• packageName, version, uploadTime, fileCount
• packageTypes, yanked, yankReason, fetchedAt

dependency

• packageName, packageVersion
• dependencyName, normalizedDependencyName
• dependencyGroup such as runtime, conditional, or extra:socks
• versionSpec, extras, environmentMarker
• rawRequirement, parseStatus, fetchedAt

Example Input

{
  "packages": ["requests", "fastapi"],
  "includeReleaseHistory": true,
  "includeDownloadStats": false,
  "includeVulnerabilities": false,
  "maxReleaseRowsPerPackage": 25,
  "maxDependencyRowsPerPackage": 250,
  "concurrency": 3,
  "timeoutMs": 15000,
  "delivery": "dataset",
  "webhookUrl": "",
  "dryRun": false
}

Local Development

npm install
npm test
node src/index.js

output/result.json contains the full payload for local inspection. On Apify, dataset delivery writes the flattened rows.

Limitations

• V1 is direct package lookup only; PyPI HTML search is out of scope.
• Requires-Dist parsing is pragmatic. The original PEP 508 string is always preserved as rawRequirement.
• pypistats.org and OSV are optional external enrichments and can return warnings without failing the package.
• OSV output is an advisory summary and should not be treated as a complete vulnerability audit.