Package Lookup
Thinking about adding a package, or wondering how trustworthy one you already ship is? Look it up. Search any open-source package by name or paste a PURL, and see its trust score in seconds - alongside the packages that already need your attention across your repositories.
Search for a package
The search box takes two kinds of input, and figures out which one you mean:
| Search by | Example | What happens |
|---|---|---|
| Name | lodash | Returns every matching package. Narrow it with the ecosystem dropdown (npm, PyPI, Maven, Go, Cargo, NuGet, RubyGems) and page through the results. |
| PURL | pkg:npm/express@4.18.2 | An exact lookup. The ecosystem is already in the PURL, so the dropdown is disabled and a single match opens its detail page directly. |
Not sure where to start? Tap one of the example chips under the search box. Your search lives in the page URL, so you can bookmark it or share a results link with a teammate.
Needs attention
This card surfaces the packages in your repositories that took a turn for the worse - so you find out before they become a problem. A package lands here for one of two reasons:
| Flag | What it means |
|---|---|
| Score drop | The package’s trust score fell since the last scan. The card shows how far it dropped, so a sliding maintainer or a new weakness does not slip past you. |
| Unmaintained | The upstream project has been archived. It will not get fixes or security patches anymore - a strong signal to plan a replacement. |
Each row shows the package, its ecosystem, how many of your repositories use it, and its current score. Choose See all to open the full list, sorted with the lowest scores first.
Most used in your repos
This card ranks packages by how many of your repositories depend on them. The ones at the top are your highest-leverage dependencies: a problem in any of them touches the most projects, and an upgrade to any of them pays off everywhere at once.
Each row shows the reach - for example, 42 of 50 repos - next to the package’s trust score, so you can see at a glance whether your most widespread dependencies are also your most trustworthy. Choose See all to browse every package your organization uses, ranked by reach.
Reading the trust score
Every package carries a single trust score from 0 to 10, shown as a color-coded letter grade. It rolls up automated checks on the project’s security practices, maintenance, and supply-chain hygiene into one number you can scan at a glance.
| Grade | Score range | Interpretation |
|---|---|---|
| A | 8.0 – 10.0 | Strong security practices across the board |
| B | 6.0 – 7.9 | Solid, with a few gaps worth a look |
| C | 4.0 – 5.9 | Mixed - review before relying on it heavily |
| D | 2.0 – 3.9 | Weak practices - treat with caution |
| F | 0.0 – 1.9 | Poor practices - look for an alternative |
Want to know what goes into the number? The Dependency Trust Scoring page breaks down every check behind the grade.
Dig into a single package
Select any package - from a search result or from one of the cards - to open its detail page. There you get the full picture beyond the headline score: the per-check breakdown, how it compares to the median for its ecosystem, when it was last published, license, repository stars, and whether the package has been deprecated.
Use it to make the call with confidence - whether you are vetting a new dependency or deciding what to do about one that’s slipping.
Sort and filter results
When a search returns a list, you can shape it to find what you need:
- Sort by name, trust score, usage across your repositories, or when the package was last analyzed.
- Filter to your organization to show only the packages you actually ship, ignoring the rest of the registry.
- Filter by grade to zero in on, say, every D and F package you depend on.