RequestGuard Docs
Vulnerabilities Updated May 18, 2026

npm Vulnerabilities API

Public npm package metadata, weekly downloads, and OSV vulnerability advisories.

The npm Vulnerabilities API returns public npm package vulnerability intelligence from the npm registry, npm download APIs, and OSV.dev.

Endpoint

GET /vulnerabilities/npm/{package}/

This endpoint is public and does not require an API key.

The {package} path parameter supports scoped names such as @babel/core. URL-encode path segments as needed:

curl "https://api.requestguard.com/v1/vulnerabilities/npm/express/"
curl "https://api.requestguard.com/v1/vulnerabilities/npm/%40babel%2Fcore/"

Response

{
  "package": {
    "name": "express",
    "ecosystem": "npm",
    "latestVersion": "5.1.0",
    "description": "Fast, unopinionated, minimalist web framework",
    "license": "MIT",
    "repositoryUrl": "https://github.com/expressjs/express"
  },
  "downloads": {
    "weeklyDownloads": 104192101,
    "start": "2026-05-10",
    "end": "2026-05-16"
  },
  "summary": {
    "total": 0,
    "highest": "none",
    "counts": {
      "critical": 0,
      "high": 0,
      "moderate": 0,
      "low": 0,
      "unknown": 0
    }
  },
  "advisories": [],
  "sources": {
    "npm": "https://registry.npmjs.org/{package}",
    "downloads": "https://api.npmjs.org/downloads/point/last-week/{package}",
    "osv": "https://api.osv.dev/v1/query"
  },
  "checkedAt": "2026-05-17T12:00:00.000Z",
  "noAdvisoryCopy": "No known OSV advisories found for this npm package. This is not a security guarantee; continue to monitor updates and audit your dependency graph."
}

Errors

404 means the package was not found in the npm registry.

503 means the npm registry, npm downloads API, or OSV upstream is unavailable.