deps.dev website, Open Source Insights, dependency graphs, package metadata, package versions, licenses, security advisories, dependency analysis, API access, BigQuery dataset, and WHOIS domain data

deps.dev

deps.dev is the Open Source Insights website from Google, helping developers inspect package dependencies, versions, licenses, advisories, projects, and ecosystem metadata.

Core purpose

deps.dev helps developers understand open-source package structure, dependency graphs, version metadata, licenses, projects, and security advisories.

Official name

The website and documentation use the name Open Source Insights for the deps.dev service.

Domain registered

April 3, 2019

The Open Source Insights logo used as the brand image for the deps.dev dependency insight website page.View official Open Source Insights logo

What deps.dev is

deps.dev official site is the Open Source Insights website from Google. Its documentation says the service helps developers understand the structure, construction, and security of open-source software packages. The site lets users search packages, visualize dependencies, compare versions, investigate security advisories, and inspect metadata that would be tedious to gather from individual package registries by hand.

Dependency graphs

Open Source Insights examines packages and constructs detailed graphs of dependencies and their properties. That gives developers a way to see not just what a package is, but how it is connected to other packages and how those connections change over time. Dependency graphs are useful because risk and maintenance often travel through indirect dependencies. A small package can matter if many projects rely on it, and a seemingly simple dependency can bring in a much larger tree.

Package ecosystems covered

The docs say the service indexes Cargo, Go, Maven, npm, NuGet, PyPI, and RubyGems package ecosystems, along with GitHub, GitLab, and Bitbucket project hosts and security advisories from OSV. This cross-ecosystem view is valuable for teams that use more than one language. It also gives researchers a common place to compare metadata patterns across package managers.

API and dataset access

deps.dev is not only a website. Its documentation describes an API available over HTTP and gRPC, plus a BigQuery public dataset for larger analysis. The API can answer questions about package versions, licenses, dependencies, package-to-file matches, projects, and advisories. That makes deps.dev useful for tool builders, researchers, and teams that want dependency insight inside internal dashboards, audits, or automated review workflows.

Security and package context

Security advisories are part of the deps.dev data model, and project pages can include OpenSSF Scorecard information when available. The site does not replace human security review, but it gives users more context than a package name and version alone. That context can help a team ask better questions: which dependency introduced a risk, which versions are affected, what licenses apply, and whether a project shows signs of healthy maintenance.

Who uses deps.dev

deps.dev is used by software developers, dependency managers, security engineers, open-source maintainers, researchers, build-tool authors, compliance teams, and organizations trying to understand their software supply chain. Some users browse package pages directly; others use the API or BigQuery dataset for automation and analysis.

Why it matters

Modern software is assembled from many open-source packages, and the real shape of that dependency network is hard to see from a manifest file alone. deps.dev matters because it makes package relationships, versions, licenses, advisories, and project metadata easier to inspect together. That shared view can improve dependency decisions. It can also help maintainers and security teams explain why an upgrade, replacement, or deeper review is needed.

WHOIS domain data

Data pulled: May 24, 2026View current WHOIS record

Domain: deps.dev
WHOIS source note: The Who.is WHOIS lookup reported no traditional WHOIS data for deps.dev; the visible domain registration fields below are from the Who.is RDAP view for the same domain.
IP address: 35.244.225.235
Registrar: Markmonitor Inc.
Registrar handle: 292
Contact URI: https://www.markmonitor.com/contact-us/
Created: April 3, 2019
Updated: March 2, 2026
RDAP database updated: May 24, 2026
Expires: April 3, 2027
Nameservers: ns-cloud-d1.googledomains.com (216.239.32.109); ns-cloud-d2.googledomains.com (216.239.34.109); ns-cloud-d3.googledomains.com (216.239.36.109); ns-cloud-d4.googledomains.com (216.239.38.109)
Domain status: client delete prohibited, client transfer prohibited, client update prohibited
Contact privacy: The visible Who.is RDAP summary shows a domain contact URI at https://domains.markmonitor.com/whois/contact/deps.dev; registrant personal details are not displayed.

Key concepts

Dependency graphA map of direct and transitive packages connected to a package or version.
Package versionA specific released version in a package ecosystem such as npm, PyPI, Maven, Go, or RubyGems.
AdvisoryA security notice associated with affected packages or versions.
Project hostA source-code platform such as GitHub, GitLab, or Bitbucket connected to package metadata.

Common workflows

Search deps.dev for a package and inspect its dependency graph.
Compare package versions to understand dependency, license, or advisory changes.
Use the API to build dependency insight into tools, dashboards, or audits.
Query the BigQuery public dataset for broader ecosystem research.

Common misconceptions

deps.dev is not a package registry; it is an insights and metadata service around existing ecosystems.
A dependency graph explains relationships, but it does not prove that every advisory is exploitable in every application.
A package with rich metadata still needs project-specific review before adoption.

Open questions

How can dependency insight tools reduce alert fatigue while still surfacing real supply-chain risk?
Which package metadata signals best predict maintenance health across different ecosystems?
How should teams combine registry metadata, source repository data, advisories, and internal usage data?