npm & PyPI Package Monitor — Versions & Downloads
Pricing
from $2.00 / 1,000 package checks
npm & PyPI Package Monitor — Versions & Downloads
Monitor npm & PyPI packages via the open registry APIs — latest version, publish date, monthly downloads, dependencies & maintainers. Monitor mode returns only CHANGES: new versions & download swings. Supply-chain security, devtools & investor signals. Pay per package.
Pricing
from $2.00 / 1,000 package checks
Rating
0.0
(0)
Developer
Diego Moragues
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
5 days ago
Last modified
Categories
Share
npm & PyPI Package Monitor — Supply-Chain, Version & Download Tracking
The npm & PyPI package monitor is a supply-chain security and dependency monitoring tool that watches your packages straight from the open registry APIs — no auth, no browser, no proxies. For any list of packages you get the latest version, publish date, last-month downloads, dependencies, maintainers and repository. Turn on monitor mode and it becomes a package release monitor: scheduled runs return only what changed — a new version, a new maintainer, or a significant download swing — so you catch a risky update or a compromised package early, and never miss a release you depend on.
Built on 100% public data: registry.npmjs.org, api.npmjs.org, pypi.org and pypistats.org. The highest-value angle is supply-chain monitoring — knowing the moment a dependency ships a new version or changes hands is a security signal, not just a devtools nicety.
Why a package monitor beats a one-off registry lookup
| This Package Monitor | Manual npm view / PyPI page checks | |
|---|---|---|
| npm and PyPI in one run | ✅ Mixed list | ❌ Two tools |
| Only NEW versions on later runs | ✅ new-version diff | ❌ Re-check by hand |
| Download-swing detection | ✅ download-change (≥10%) | ❌ |
| New-maintainer / dependency drift | ✅ Emitted for review | ❌ |
| Webhook alerts on change | ✅ | ❌ |
| Supply-chain framing | ✅ Purpose-built | Ad hoc |
| Pay-per-result | ✅ | — |
What you get for each package
{"package": "react","registry": "npm","latestVersion": "18.3.1","publishedAt": "2024-04-26T19:11:00.000Z","totalVersions": 2100,"lastMonthDownloads": 92000000,"downloadsChangePct": 4.2,"dependencies": ["loose-envify"],"maintainers": ["react-bot", "fb"],"homepage": "https://react.dev/","repository": "https://github.com/facebook/react","changeType": "baseline","previousVersion": null,"checkedAt": "2026-07-02T12:00:00.000Z"}
changeType is one of "baseline" (first time seen), "new-version" (a new release since last run), or "download-change" (downloads moved ≥10% on the same version). Outside monitor mode it is null — every package is a full snapshot.
How to use it
- Add packages — as
npm:name,pypi:name, or a plain name (defaults to npm). Scoped npm packages likenpm:@babel/corework too. - (Optional) Include downloads / dependencies — toggle the extra fields you want.
- (Optional) Enable monitor mode — and schedule the actor (e.g. daily). Each run outputs only CHANGES per package. Combine with a webhook to push new releases to Slack, email or your CI.
Use cases
Each of these is a real search buyers make:
- "Monitor dependencies for supply-chain security" — watch the packages your org depends on for unexpected version bumps, new maintainers, or repository changes that can signal a compromised package.
- "Get an alert when a dependency ships a new version" — schedule monitor mode + a webhook and get pinged the moment a release lands, so silent updates never slip into your build.
- "Track npm/PyPI download trends for investor research" — monthly download growth is a leading adoption signal for open-source-backed companies and devtools.
- "Detect dependency drift over time" — compare a package's declared dependencies across releases to catch surprise additions.
- "Feed live package data to an AI agent" — stream npm and PyPI intelligence to an LLM workflow via the Apify MCP server.
Dependency & supply-chain monitoring
The use with real budget behind it: point the actor at your production dependency list in monitor mode. Every run flags new versions (review before you upgrade), download swings (a sudden collapse or spike can indicate a problem), and gives you the current maintainer list and repository — so a package quietly changing hands or repo doesn't reach your build unnoticed. Wire it to a webhook and your security channel gets the signal first.
Pricing
Pay per package — one charge per package result delivered to the dataset (package-check event). No subscription, no minimum. Packages that fail (typo, unpublished, unreachable) are never pushed and never charged — they are listed in the FAILED record of the run's key-value store. In monitor mode you are only charged for packages that actually changed.
FAQ
Which registries are supported?
Two, both via their official public APIs: npm (registry.npmjs.org + api.npmjs.org for downloads) and PyPI (pypi.org/pypi/{pkg}/json + pypistats.org for downloads). No API key is required for either.
Can I get alerts when a dependency ships a new version?
Yes — that's the core workflow. Enable monitorMode, schedule the actor (e.g. daily), and attach an Apify webhook or integration to the run. Every new-version change is pushed to Slack, email, or your CI the moment it's detected.
Does it detect new maintainers (a potential compromise signal)?
Every result includes the current maintainers list and repository, so you can diff them run over run to catch a package quietly changing hands or repo — one of the clearest early signals of a supply-chain risk. Combine with the new-version flag to review any release that also changed maintainers.
How does monitor mode decide what changed?
On the first run it stores each package's latest version and last-month downloads as a baseline (emitted once). On later runs it compares: a different latest version → new-version; the same version but downloads moved by ≥10% → download-change; otherwise nothing is output (and nothing is charged). State is kept in the named key-value store PACKAGE-MONITOR-STATE.
What happens to packages that don't exist or fail?
They are collected and written to the FAILED key-value record instead of the dataset, so a typo or an unpublished package never costs you anything. The run still succeeds for the rest.
PyPI download stats sometimes look empty — why?
Download counts for PyPI come from pypistats.org, a community service that can be rate-limited or briefly unavailable. When that happens the actor sets lastMonthDownloads to null and keeps going — version, dependency and maintainer data still come through from PyPI itself.
Can I track dependencies and maintainers?
Yes. Maintainers are always included. Dependencies of the latest release are included when you enable Include dependencies (capped by Max dependencies per package).
Can AI agents use this actor?
Yes. The input is a flat list of package identifiers and the output is clean JSON, so it works out of the box with the Apify MCP server and any LLM / agent pipeline that needs live npm and PyPI package intelligence.
Does it scrape or use anything private?
No. It only calls the public, unauthenticated registry and stats endpoints listed above. There is no login, no scraping of HTML pages, and no proxy needed.