https://2s.io/api/security/package
Security and provenance for an open-source package, composed live from three authoritative sources in one call. Pass ecosystem (npm, pypi, go, maven, cargo, nuget) + name (+ optional version; defaults to latest). Returns: known vulnerabilities from OSV (osv.dev — aggregates GitHub Security Advisories, PyPA, RustSec, Go vuln DB, etc.) each with its id, CVE aliases, summary, severity, and references; the resolved license and deprecation status (deps.dev); and the source repo's OpenSSF Scorecard health score (overall + per-check) plus stars/forks/open-issues. All live — newly-disclosed advisories appear within hours. Distinct from registry.npm-lookup / pypi-lookup (metadata only): this answers "is this dependency safe to add, what license does it carry, and how well-maintained is it."
Start with a quote-only recipe. Payment signing stays in your project.
const response = await fetch("https://2s.io/api/security/package", {
method: "GET",
});
console.log(response.status);
console.log(Object.fromEntries(response.headers));
console.log((await response.text()).slice(0, 1000));
// A valid 402 is a quote, not a completed paid call.This sends no payment. Inspect the 402 response before adding a wallet-enabled client.
- Live 402 quote confirmed
GET returned a protocol-valid 402 quote (402). No payment was made.
- Origin reachable
HEAD https://2s.io/ returned 200.
- Observed in cdp-bazaar
The registry record was observed and retained with provenance.
- Observed in 402-index
Discovered through bazaar.
- Registry record checked
Registry health: healthy.
EVIDENCE
Each record has an exact-route quote outcome. Unresolved templates and potentially mutating methods are labeled instead of being invoked without provider-specific test input. A quote is still separate from a settled paid call.