Google has launched an API for its Open Source Insights project, dubbed deps.dev, aimed at helping to secure software supply chains. The API allows users to query the metadata and is intended to be integrated into development tools and workflows. Google wants to help users recognise dependencies and transitive dependencies that could pose a risk, with metadata for Maven, npm, PyPI, Go Modules and the Rust package manager Cargo, with NuGet for .NET packages to be added soon. Currently, deps.dev can offer hash queries, which can help users determine the package they have if metadata is missing or incomplete.
