docs / enrich-package
Package & Dependency Trust API
Package & Dependency Trust API
base /enrich-package/v14 endpoints
post
/enrich-package/v1/package_trust3 creditsecosystem+package → registry metadata + downloads + maintainers + license + resolved repository health + vulnerabilities + partial trust score (with per-sub-score inputs)
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| ecosystem | required | npm · pypi · maven · rubygems · crates · go | Package ecosystem. npm/pypi get full registry metadata + downloads; maven/rubygems/crates/go get vulnerabilities + declared-repository health (the wider OSV ecosystem set). |
| package | required | — | Package name as published in its registry (npm 'lodash', PyPI 'requests', Maven 'group:artifact', Go import path). Scoped npm names like '@scope/pkg' are supported. |
| version | optional | — | Exact installed version to assess for vulnerabilities. Omit to assess the latest published version + ALL known vulns of the package. |
| mode = rich | optional | basic · rich | basic = registry metadata + license + repo health + score; rich (default) adds the full vulnerability scan, release cadence, contributor bus-factor and a stackoverflow community signal. |
post
/enrich-package/v1/repo_trust3 creditsowner/repo → repository health + release cadence + bus-factor signal + repo-anchored trust sub-scores (popularity/maintenance), independent of any registry
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| owner | required | — | GitHub repository owner / org (e.g. 'facebook'). |
| repo | required | — | GitHub repository name (e.g. 'react'). |
post
/enrich-package/v1/lockfile_scan5 creditsmanifest/lockfile text → dependency list + each dep's vuln/risk summary via one batched vuln scan (BOUNDED: direct + lockfile-pinned deps, max 100; truncated:true when capped). package.json/lock, requirements.txt, go.sum/mod, Cargo.lock, Gemfile.lock
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| content | required | — | Raw manifest/lockfile text: package.json, package-lock.json, requirements.txt, go.sum/go.mod, Cargo.lock, or Gemfile.lock. Direct (+ lockfile-pinned) deps are scanned; bounded to 100 deps. |
| filename | optional | — | Optional filename hint to disambiguate the manifest format (e.g. 'package-lock.json', 'go.sum'). Auto-detected if omitted. |
| ecosystem | optional | npm · pypi · maven · rubygems · crates · go | Optional ecosystem hint when the manifest format is ambiguous. |
post
/enrich-package/v1/batch2 creditstrust-score up to 10 packages in one call (basic depth, per-item ok/error)
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| items | required | — | Up to 10 {ecosystem, package, version?} objects. Each is trust-scored like package_trust (basic depth); per-item ok/error. |
Example request · package_trust
curl -X POST https://api.reefapi.com/enrich-package/v1/package_trust \
-H "x-api-key: $REEF_KEY" \
-H "content-type: application/json" \
-d '{"ecosystem":"npm","package":"lodash","version":"4.17.15","mode":"rich"}'Response shape
{
"ok": true,
"data": { /* the result */ },
"meta": {
"latency_ms": 240,
"record_count": 12,
"completeness_pct": 100
},
"error": null
}