jfrog_get_package_info
Retrieve public details about a software package, including its description, latest version, license, repository links, homepage, and malicious status. Supported types: PyPI, npm, Maven, Golang, NuGet, Huggingface, RubyGems.
Instructions
Useful for when you need to get publicly available information about a software package. it will provide you with the following information on it, if available in public sources: a short description of the package, its latest published version, the software license this software is distributed under, along with urls of its version control system, its homepage and whether it is known to be a malicious package (in any version).
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| name | Yes | The name of the package, as it appears in the package repository. | |
| type | Yes | The type of package. | |
| version | No | The version of the package, as it appears in the package repository. Default value is 'latest'. | latest |
Implementation Reference
- tools/catalog.ts:14-135 (handler)The core handler function `getPackageInfo` that constructs a GraphQL query to fetch package details from JFrog Catalog API, processes the response including license and security info, and returns the formatted package information.export async function getPackageInfo(options: { type: string; name: string; version?: string; }) { const packageVersion = !options.version || options.version.trim().toLowerCase() === "latest" ? "latest" : options.version; const isLatestVersion = packageVersion === "latest"; const query = `query GetCatalogPackageEntity( $type: String!, $name: String! ${!isLatestVersion ? ", $version: String!" : ""} ) { package(type: $type, name: $name) { name description vcsUrl homepage latestVersion { version published licenseInfo { expression } } ${isLatestVersion ? ` licenseInfo { expression } ` : ` versions(first: 1, where: { version: $version }) { edges { node { version published licenseInfo { expression } } } } `} securityInfo { maliciousInfo { knownToBeMalicious } } } }`; const variables = { type: options.type, name: options.name, ...((!isLatestVersion && options.version) ? { version: options.version } : {}) }; function processResponse(response: unknown) { const validatedResponse = JFrogCatalogGraphQLResponseSchema.parse(response); if (!validatedResponse.data?.package) { throw new Error("Package information not found in Catalog."); } const packageData = validatedResponse.data.package; // Process license information for latest version if (isLatestVersion && packageData.licenseInfo?.expression) { const topLevelLicenseExpression = packageData.licenseInfo.expression; const latestVersionLicenseExpression = packageData.latestVersion?.licenseInfo?.expression; if (latestVersionLicenseExpression && latestVersionLicenseExpression !== topLevelLicenseExpression) { console.warn( `Package.license value is different from Package.latestVersion.license value. ` + `Package.license: ${topLevelLicenseExpression}, ` + `Package.latestVersion.license: ${latestVersionLicenseExpression}. ` + `Using Package.license as the source of truth.` ); } packageData.latestVersion = packageData.latestVersion || { version: "", published: "", licenseInfo: { expression: topLevelLicenseExpression } }; delete packageData.licenseInfo; } // Process specific version information if (!isLatestVersion && packageData.versions?.edges?.[0]?.node) { packageData.version = packageData.versions.edges[0].node; delete packageData.versions; } // Handle potentially null securityInfo more gracefully const finalResult = { ...packageData, isMalicious: packageData.securityInfo && typeof packageData.securityInfo === "object" && packageData.securityInfo.maliciousInfo && typeof packageData.securityInfo.maliciousInfo === "object" && "knownToBeMalicious" in packageData.securityInfo.maliciousInfo ? Boolean(packageData.securityInfo.maliciousInfo.knownToBeMalicious) : false }; delete finalResult.securityInfo; return finalResult; } const processedData = await jfrogRequest( "xray/catalog/graphql", { method: "POST", body: JSON.stringify({ query, variables }) }, processResponse ); return processedData; }
- schemas/catalog.ts:14-21 (schema)Zod schema definitions for the tool input: base package schema and extended version schema used for input validation.export const JFrogCatalogPackageSchema = z.object({ type: z.enum(JFrogCatalogSupportedPackageTypes).describe("The type of package."), name: z.string().describe("The name of the package, as it appears in the package repository.") }); export const JFrogCatalogPackageVersionSchema = JFrogCatalogPackageSchema.extend({ version: z.string().default("latest").describe("The version of the package, as it appears in the package repository. Default value is 'latest'.") });
- tools/catalog.ts:348-361 (registration)Tool registration object defining name, description, input schema, and handler wrapper that parses args and calls getPackageInfo.const getCatalogPackageEntityTool = { name: "jfrog_get_package_info", description: "Useful for when you need to get publicly available information about a software package. " + "it will provide you with the following information on it, if available in public sources: " + "a short description of the package, its latest published version, the software license " + "this software is distributed under, along with urls of its version control system, " + "its homepage and whether it is known to be a malicious package (in any version).", inputSchema: zodToJsonSchema(JFrogCatalogPackageVersionSchema), //outputSchema: zodToJsonSchema(JFrogCatalogPackageVersionSchema), handler: async (args: any) => { const parsedArgs = JFrogCatalogPackageVersionSchema.parse(args); return await getPackageInfo(parsedArgs); } };
- tools/index.ts:13-23 (registration)Main tools array registration where CatalogTools (including jfrog_get_package_info) is spread into the global tools list.export const tools =[ ...RepositoryTools, ...BuildsTools, ...RuntimeTools, ...AccessTools, ...AQLTools, ...CatalogTools, ...CurationTools, ...PermissionsTools, ...ArtifactSecurityTools, ];