Google has launched the deps.dev API, an extension of the deps.dev program which provides insight into the security data of more than 5 million open-source packages. The API makes it easier for developers to use the program’s underlying dataset by creating automated workflows, such as a plugin that integrates deps.dev with the developers’ own code editor. This plugin detects when a developer downloads an open-source package and then automatically scans the package for vulnerabilities and potential licensing issues. Other features include integration with CI/CD tooling and a real dependency graph feature that scans the code of packages and then presents a more detailed list of the components. Additionally, the tech giant has introduced support for hash queries, which makes it easier for developers to discover supply chain attacks. With this new support, developers can quickly identify whether malicious code has been added via an open-source package.
