security.package

Security and provenance for an open-source package, composed live from three authoritative sources in one call. Pass ecosystem (npm, pypi, go, maven, cargo, nuget) + name (+ optional version; defaults to latest). Returns: known vulnerabilities from OSV (osv.dev — aggregates GitHub Security Advisories, PyPA, RustSec, Go vuln DB, etc.) each with its id, CVE aliases, summary, severity, and references; the resolved license and deprecation status (deps.dev); and the source repo's OpenSSF Scorecard health score (overall + per-check) plus stars/forks/open-issues. All live — newly-disclosed advisories appear within hours. Distinct from registry.npm-lookup / pypi-lookup (metadata only): this answers "is this dependency safe to add, what license does it carry, and how well-maintained is it."

price

$0.0022 USDC per call

method

GET/api/security/package

payment

x402 v2 · USDC on Base (EIP-3009) or Solana (SPL transfer)

auth

None. Sign the payment, retry with PAYMENT-SIGNATURE.

tier

Tier 0 — no paid upstream

Parameters

Name	Type	Description
`ecosystem`required	string	Package ecosystem: npm, pypi, go, maven, cargo, or nuget. one of: npm \| pypi \| go \| maven \| cargo \| nuget
`name`required	string	Package name (e.g. lodash, requests, github.com/gin-gonic/gin). min 1 chars · max 214 chars
`version`	string	Specific version (defaults to the latest/default version). min 1 chars · max 120 chars

Code samples

cURLbash

# 1. Probe with no auth → 402 envelope with PaymentRequirements
curl -sS 'https://2s.io/api/security/package?ecosystem=npm&name=example&version=example'

# 2. Sign + retry with PAYMENT-SIGNATURE:
curl -sS 'https://2s.io/api/security/package?ecosystem=npm&name=example&version=example' \
  -H 'PAYMENT-SIGNATURE: <base64-json-payload>'

# Or use the canonical runner (handles probe → sign → retry):
#   EVM_PRIVATE_KEY=0x... node --env-file=.env.local \
#     --experimental-strip-types scripts/x402-pay.ts \
#     'https://2s.io/api/security/package?ecosystem=npm&name=example&version=example'

TypeScript / Node — @2sio/sdktypescript

import { TwoS } from '@2sio/sdk'

const client = new TwoS({
  privateKey: process.env.EVM_PRIVATE_KEY as `0x${string}`,
})

const result = await client.security.package({
  "ecosystem": "npm",
  "name": "example",
  "version": "example"
})

console.log('endpoint:', result.endpoint)
console.log('cost:', result.costUsd, 'USDC')
console.log('tx:', result.settlement?.txHash)
console.log('data:', result.data)

Python — 2siopython

import os
from twosio import TwoS

client = TwoS(private_key=os.environ["EVM_PRIVATE_KEY"])

result = client.security.package(ecosystem="npm", name="example", version="example")

print("endpoint:", result.endpoint)
print("cost:", result.cost_usd, "USDC")
print("tx:", (result.settlement or {}).get("tx_hash"))
print("data:", result.data)

MCP — Claude Desktop / AgentKit / any MCP hostjson

// 1. Add @2sio/mcp to your MCP host config (Claude Desktop example below).
//    EVM_PRIVATE_KEY funds x402 payments per call.

// claude_desktop_config.json
{
  "mcpServers": {
    "2sio": {
      "command": "npx",
      "args": ["-y", "@2sio/mcp"],
      "env": { "EVM_PRIVATE_KEY": "0x..." }
    }
  }
}

// 2. Once the server is running, agents call this tool via standard MCP:

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "security.package",
    "arguments": {
      "ecosystem": "npm",
      "name": "example",
      "version": "example"
    }
  }
}

Response

Field	Type	Description
`ok`	boolean	one of: true
`items`	array
`total`	integer	Total matching rows upstream; null when unknown.
`source`	object
`meta`	object

Example response datajson

{
  "ok": true,
  "items": [
    {
      "package": {
        "ecosystem": "example",
        "name": "example",
        "version": "example"
      },
      "vulnerabilityCount": 1,
      "vulnerabilities": [
        {
          "id": "example",
          "aliases": [
            "example"
          ],
          "summary": "example",
          "severity": "example",
          "published": "example",
          "modified": "example",
          "references": [
            "example"
          ]
        }
      ],
      "license": "example",
      "deprecated": false,
      "deprecatedReason": "example",
      "publishedAt": "example",
      "sourceRepo": "example",
      "scorecard": {
        "overallScore": 1,
        "date": "example",
        "checks": [
          {
            "name": "example",
            "score": 1
          }
        ]
      },
      "repo": {
        "stars": 1,
        "forks": 1,
        "openIssues": 1
      },
      "errors": {}
    }
  ],
  "total": 1,
  "source": {
    "provider": "example",
    "url": "example",
    "license": "example"
  },
  "meta": {
    "sources": [
      "example"
    ]
  }
}

Discovery

/api/directory — full catalog of every endpoint
/openapi.json — OpenAPI 3.1 spec (per-op x-payment-info, x402Payment security)
/.well-known/x402 — machine-readable service descriptor for x402-aware crawlers
/.well-known/mcp/server-card.json — MCP SEP-1649 server card
/llms.txt — plain-text manifest for LLM ingestion

2s.io is x402-native. Every call is paid per-request from a USDC-funded EVM wallet on Base — no signup, no API keys, no monthly fees. Source code: github.com/2s-io/sdk.