Health & security posture of a software package (npm / PyPI / Go / Maven / Cargo / NuGet /
RubyGems) from deps.dev (Google Open Source Insights, keyless): latest version, license, count of
known security advisories, the OpenSSF Scorecard (0-10 security-posture score for the source repo +
its weakest checks) and popularity (stars/forks). The "should I depend on this?" check — pairs with
check_vulnerability (is a version vulnerable) and software_version (is the runtime current).
Args: package (e.g. "lodash", "requests"), ecosystem (npm|pypi|go|maven|cargo|nuget|rubygems),
version (optional — defaults to the latest).
Every value is returned in an Ed25519-signed, provenance-stamped envelope (source and observation time) you can verify offline against /.well-known/keys, no account required.
Connector