SafeVersion
Get started
  • npm registry
  • OSV

Supply chain attacks love unchecked agent installs.

Blind installs let typosquats and compromised packages in. One GET checks npm first and surfaces safer versions before your agent runs install.

Two flows shown one after the other. Without SafeVersion, an agent installs a fictional package at latest from npm and can pull malware or a vulnerable release; animated arrows show data moving straight through. With SafeVersion between agent and npm, one GET suggests a latestSafe pinned version before install; animated arrows show the request passing through SafeVersion. Not a guarantee against all supply chain attacks.

Agent install paths with and without SafeVersion

Blind @latestFictional package

Nothing sits between the agent and npm. Result: malware or CVE risk.

Agent

npm

@latest

$ pnpm add cool-utils-pkg@latest
SafeVersion in the loop

SafeVersion suggests a pinned version before install. Result: safer, OSV-aware pick.

Agent

SafeVersion

latestSafe 1.4.2

npm

pinned install

$ pnpm add cool-utils-pkg@1.4.2

Features

One package per request at GET /api/npm/{name}: registry-backed fields and safer-version suggestions as JSON, ready for agents, CLIs, or review tooling.

  • Safer version suggestions

    GET /api/npm/{name} returns JSON with suggested picks such as latestSafe, using public npm metadata, a minimum publish-age rule, and OSV-informed filtering among versions.

  • Upgrade from an exact version

    Pass the semver you have installed as current to get smallestSafeUpgrade (newer than that version only). When the package lists a GitHub repo, responses can include compare links between releases.

  • Optional release notes

    Enable releaseNotes to include GitHub release snippets alongside version data. Expect a slower response; some versions may not have matching release text on GitHub.

  • Agent-actionable JSON

    Version picks include warnings and security.dataStatus so tools know when OSV data was available. Errors are JSON with HTTP status codes, not HTML to scrape.

  • No API key required

    Start integrating without signup or secrets. The API is rate-limited per IP with burst protection so automated agents and scripts get predictable, fair access.

How it works

Three steps from a package name to a structured answer: one package per call, no separate dashboard product.

  1. 01

    Point at a package

    Call GET with the package name (scoped or unscoped), plus optional query params current (exact semver) and releaseNotes.

  2. 02

    One JSON response

    The API combines registry metadata, OSV-informed candidate filtering, optional release-note snippets, policy fields, and links into a single document.

  3. 03

    Use it your way

    Consume the JSON from scripts, agents, or your own tools. SafeVersion does not run your CI, open PRs, or enforce org policies. That stays on your side.

Agent-first by design

MCP + Cursor rule for agents; GET per package for scripts. Same JSON: safe versions, policy, security, optional release notes. Docs: copy-paste setup and full API reference.

Open API documentation