One API Call to Know If Your Dependency Is Safe

A coding agent just suggested adding a package to your project. You've never heard of it. How do you decide whether to trust it? Most developers either accept the suggestion blindly or spend fifteen minutes checking GitHub stars, last commit date, the npm advisory database, and whatever license file happens to exist. Agents can't do either — they need a structured signal, fast. The data exists. It's just scattered. The information you need to evaluate a dependency already exists across public APIs. OSV.dev maintains a comprehensive vulnerability database covering CVEs and GitHub Security Advisories across npm, PyPI, Go, Rust, and more. Google's deps.dev aggregates dependency graphs, license metadata, and OpenSSF Scorecard results — the 18-check security health assessment that most developers have never heard of despite it covering over a million projects. The npm and PyPI registries themselves tell you when a package was last published, whether it's deprecated, and how many maintainers