npm & PyPI Package Monitor — Versions & Downloads avatar

npm & PyPI Package Monitor — Versions & Downloads

Pricing

from $2.00 / 1,000 package checks

Go to Apify Store
npm & PyPI Package Monitor — Versions & Downloads

npm & PyPI Package Monitor — Versions & Downloads

Monitor npm & PyPI packages via the open registry APIs — latest version, publish date, monthly downloads, dependencies & maintainers. Monitor mode returns only CHANGES: new versions & download swings. Supply-chain security, devtools & investor signals. Pay per package.

Pricing

from $2.00 / 1,000 package checks

Rating

0.0

(0)

Developer

Diego Moragues

Diego Moragues

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

5 days ago

Last modified

Share

npm & PyPI Package Monitor — Supply-Chain, Version & Download Tracking

The npm & PyPI package monitor is a supply-chain security and dependency monitoring tool that watches your packages straight from the open registry APIs — no auth, no browser, no proxies. For any list of packages you get the latest version, publish date, last-month downloads, dependencies, maintainers and repository. Turn on monitor mode and it becomes a package release monitor: scheduled runs return only what changed — a new version, a new maintainer, or a significant download swing — so you catch a risky update or a compromised package early, and never miss a release you depend on.

Built on 100% public data: registry.npmjs.org, api.npmjs.org, pypi.org and pypistats.org. The highest-value angle is supply-chain monitoring — knowing the moment a dependency ships a new version or changes hands is a security signal, not just a devtools nicety.

Why a package monitor beats a one-off registry lookup

This Package MonitorManual npm view / PyPI page checks
npm and PyPI in one run✅ Mixed list❌ Two tools
Only NEW versions on later runsnew-version diff❌ Re-check by hand
Download-swing detectiondownload-change (≥10%)
New-maintainer / dependency drift✅ Emitted for review
Webhook alerts on change
Supply-chain framing✅ Purpose-builtAd hoc
Pay-per-result

What you get for each package

{
"package": "react",
"registry": "npm",
"latestVersion": "18.3.1",
"publishedAt": "2024-04-26T19:11:00.000Z",
"totalVersions": 2100,
"lastMonthDownloads": 92000000,
"downloadsChangePct": 4.2,
"dependencies": ["loose-envify"],
"maintainers": ["react-bot", "fb"],
"homepage": "https://react.dev/",
"repository": "https://github.com/facebook/react",
"changeType": "baseline",
"previousVersion": null,
"checkedAt": "2026-07-02T12:00:00.000Z"
}

changeType is one of "baseline" (first time seen), "new-version" (a new release since last run), or "download-change" (downloads moved ≥10% on the same version). Outside monitor mode it is null — every package is a full snapshot.

How to use it

  1. Add packages — as npm:name, pypi:name, or a plain name (defaults to npm). Scoped npm packages like npm:@babel/core work too.
  2. (Optional) Include downloads / dependencies — toggle the extra fields you want.
  3. (Optional) Enable monitor mode — and schedule the actor (e.g. daily). Each run outputs only CHANGES per package. Combine with a webhook to push new releases to Slack, email or your CI.

Use cases

Each of these is a real search buyers make:

  • "Monitor dependencies for supply-chain security" — watch the packages your org depends on for unexpected version bumps, new maintainers, or repository changes that can signal a compromised package.
  • "Get an alert when a dependency ships a new version" — schedule monitor mode + a webhook and get pinged the moment a release lands, so silent updates never slip into your build.
  • "Track npm/PyPI download trends for investor research" — monthly download growth is a leading adoption signal for open-source-backed companies and devtools.
  • "Detect dependency drift over time" — compare a package's declared dependencies across releases to catch surprise additions.
  • "Feed live package data to an AI agent" — stream npm and PyPI intelligence to an LLM workflow via the Apify MCP server.

Dependency & supply-chain monitoring

The use with real budget behind it: point the actor at your production dependency list in monitor mode. Every run flags new versions (review before you upgrade), download swings (a sudden collapse or spike can indicate a problem), and gives you the current maintainer list and repository — so a package quietly changing hands or repo doesn't reach your build unnoticed. Wire it to a webhook and your security channel gets the signal first.

Pricing

Pay per package — one charge per package result delivered to the dataset (package-check event). No subscription, no minimum. Packages that fail (typo, unpublished, unreachable) are never pushed and never charged — they are listed in the FAILED record of the run's key-value store. In monitor mode you are only charged for packages that actually changed.

FAQ

Which registries are supported?

Two, both via their official public APIs: npm (registry.npmjs.org + api.npmjs.org for downloads) and PyPI (pypi.org/pypi/{pkg}/json + pypistats.org for downloads). No API key is required for either.

Can I get alerts when a dependency ships a new version?

Yes — that's the core workflow. Enable monitorMode, schedule the actor (e.g. daily), and attach an Apify webhook or integration to the run. Every new-version change is pushed to Slack, email, or your CI the moment it's detected.

Does it detect new maintainers (a potential compromise signal)?

Every result includes the current maintainers list and repository, so you can diff them run over run to catch a package quietly changing hands or repo — one of the clearest early signals of a supply-chain risk. Combine with the new-version flag to review any release that also changed maintainers.

How does monitor mode decide what changed?

On the first run it stores each package's latest version and last-month downloads as a baseline (emitted once). On later runs it compares: a different latest version → new-version; the same version but downloads moved by ≥10% → download-change; otherwise nothing is output (and nothing is charged). State is kept in the named key-value store PACKAGE-MONITOR-STATE.

What happens to packages that don't exist or fail?

They are collected and written to the FAILED key-value record instead of the dataset, so a typo or an unpublished package never costs you anything. The run still succeeds for the rest.

PyPI download stats sometimes look empty — why?

Download counts for PyPI come from pypistats.org, a community service that can be rate-limited or briefly unavailable. When that happens the actor sets lastMonthDownloads to null and keeps going — version, dependency and maintainer data still come through from PyPI itself.

Can I track dependencies and maintainers?

Yes. Maintainers are always included. Dependencies of the latest release are included when you enable Include dependencies (capped by Max dependencies per package).

Can AI agents use this actor?

Yes. The input is a flat list of package identifiers and the output is clean JSON, so it works out of the box with the Apify MCP server and any LLM / agent pipeline that needs live npm and PyPI package intelligence.

Does it scrape or use anything private?

No. It only calls the public, unauthenticated registry and stats endpoints listed above. There is no login, no scraping of HTML pages, and no proxy needed.