Security and provenance for an open-source package, composed live from three authoritative sources in one call. Pass ecosystem (npm, pypi, go, maven, cargo, nuget) + name (+ optional version; defaults to latest). Returns: known vulnerabilities from OSV (osv.dev — aggregates GitHub Security Advisories, PyPA, RustSec, Go vuln DB, etc.) each with its id, CVE aliases, summary, severity, and references; the resolved license and deprecation status (deps.dev); and the source repo's OpenSSF Scorecard health score (overall + per-check) plus stars/forks/open-issues. All live — newly-disclosed advisories appear within hours. Distinct from registry.npm-lookup / pypi-lookup (metadata only): this answers "is this dependency safe to add, what license does it carry, and how well-maintained is it."
/api/security/packagePAYMENT-SIGNATURE.The package API is a pay-per-call security endpoint built for AI agents and autonomous software. Security and provenance for an open-source package, composed live from three authoritative sources in one call.
There is no signup and no API key. An agent (or any HTTP client) hits the endpoint, receives an x402 "402 Payment Required" challenge, signs a sub-cent USDC payment on Base or Solana, and retries — the data comes back on the paid request. That makes it a drop-in package data source for an agent tool-use loop, an MCP host, or a backend that needs security data on demand without onboarding to yet another vendor portal.
| Name | Type | Description |
|---|---|---|
ecosystemrequired | string | Package ecosystem: npm, pypi, go, maven, cargo, or nuget. one of: npm | pypi | go | maven | cargo | nuget |
namerequired | string | Package name (e.g. lodash, requests, github.com/gin-gonic/gin). min 1 chars · max 214 chars |
version | string | Specific version (defaults to the latest/default version). min 1 chars · max 120 chars |
# 1. Probe with no auth → 402 envelope with PaymentRequirements curl -sS 'https://2s.io/api/security/package?ecosystem=npm&name=example&version=example' # 2. Sign + retry with PAYMENT-SIGNATURE: curl -sS 'https://2s.io/api/security/package?ecosystem=npm&name=example&version=example' \ -H 'PAYMENT-SIGNATURE: <base64-json-payload>' # Or use the canonical runner (handles probe → sign → retry): # EVM_PRIVATE_KEY=0x... node --env-file=.env.local \ # --experimental-strip-types scripts/x402-pay.ts \ # 'https://2s.io/api/security/package?ecosystem=npm&name=example&version=example'
import { TwoS } from '@2sio/sdk'
const client = new TwoS({
privateKey: process.env.EVM_PRIVATE_KEY as `0x${string}`,
})
const result = await client.security.package({
"ecosystem": "npm",
"name": "example",
"version": "example"
})
console.log('endpoint:', result.endpoint)
console.log('cost:', result.costUsd, 'USDC')
console.log('tx:', result.settlement?.txHash)
console.log('data:', result.data)import os
from twosio import TwoS
client = TwoS(private_key=os.environ["EVM_PRIVATE_KEY"])
result = client.security.package(ecosystem="npm", name="example", version="example")
print("endpoint:", result.endpoint)
print("cost:", result.cost_usd, "USDC")
print("tx:", (result.settlement or {}).get("tx_hash"))
print("data:", result.data)// 1. Add @2sio/mcp to your MCP host config (Claude Desktop example below).
// EVM_PRIVATE_KEY funds x402 payments per call.
// claude_desktop_config.json
{
"mcpServers": {
"2sio": {
"command": "npx",
"args": ["-y", "@2sio/mcp"],
"env": { "EVM_PRIVATE_KEY": "0x..." }
}
}
}
// 2. Once the server is running, agents call this tool via standard MCP:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "security.package",
"arguments": {
"ecosystem": "npm",
"name": "example",
"version": "example"
}
}
}| Field | Type | Description |
|---|---|---|
ok | boolean | one of: true |
items | array | |
total | integer | Total matching rows upstream; null when unknown. |
source | object | |
meta | object |
{
"ok": true,
"items": [
{
"package": {
"ecosystem": "example",
"name": "example",
"version": "example"
},
"vulnerabilityCount": 1,
"vulnerabilities": [
{
"id": "example",
"aliases": [
"example"
],
"summary": "example",
"severity": "example",
"published": "example",
"modified": "example",
"references": [
"example"
]
}
],
"license": "example",
"deprecated": false,
"deprecatedReason": "example",
"publishedAt": "example",
"sourceRepo": "example",
"scorecard": {
"overallScore": 1,
"date": "example",
"checks": [
{
"name": "example",
"score": 1
}
]
},
"repo": {
"stars": 1,
"forks": 1,
"openIssues": 1
},
"errors": {}
}
],
"total": 1,
"source": {
"provider": "example",
"url": "example",
"license": "example"
},
"meta": {
"sources": [
"example"
]
}
}