Inquiry About API for Retrieving Git Links of Packages

[a2ure123]

Hello,

I would like to know if there is an existing API that allows users to retrieve the Git link of a package by providing its name. For example, if I have the package name loose-envify, which is a dependency of react, how can I find its corresponding Git link programmatically?

If such an API exists, could you please provide documentation or examples on how to use it? If not, are there any recommended approaches or tools to achieve this?

Thank you for your assistance!

[behnazh-w]

To retrieve the Git repository link for a package, you can use the Deps.dev API. Provide the Package URL (PURL) for the package you're interested in. For example, for pkg:npm/semver@7.6.2 (you can remove the version), you can make the following request:

https://api.deps.dev/v3alpha/purl/pkg:npm%2Fsemver%407.6.2

Look for the links field in the response to find the relevant repository information.

Alternatively, you can use Macaron, a tool that leverages deps.dev and other sources to identify Git repository links, validate them, and also find the exact commit corresponding to the artifact version. If you are not interested in a particular version, you can remove the version and Macaron will still report the Git repo link and the commit for the latest version.

Here’s how to use Macaron:

1. Run the following command to find the source:

   ./run_macaron.sh find-source -purl pkg:npm/semver@7.6.2

2. View the generated report with jq to see the detailed information:

   jq . output/reports/npm/semver/semver.source.json

   The output will look like this:

   {
     "purl": "pkg:npm/semver@7.6.2",
     "commit": "eb1380b1ecd74f6572831294d55ef4537dfe1a2a",
     "repo": "https://github.com/npm/node-semver",
     "repo_validated": false,
     "commit_validated": false,
     "url": "https://github.com/npm/node-semver/commit/eb1380b1ecd74f6572831294d55ef4537dfe1a2a"
   }

For more details on using Macaron, see this tutorial.