GetProjectPackageVersions returns no data

[edoardottt]

Sorry, maybe I'm doing something wrong...

I'm trying to pull some data using this endpoint:

curl 'https://api.deps.dev/v3alpha/projects/github.com%2Fedoardottt%2Fcariddi:packageversions'

Same for other projects

curl 'https://api.deps.dev/v3alpha/projects/github.com%2Fopenwrt%2Fopenwrt:packageversions'

However I always get a 404 no matter which package / project I choose...

How should I use this API?

[adg]

This endpoint will return only packages that have a published provenance attestation. At the moment this is limited to some npm packages, as that's the only package manager with first party support for provenance attestations (or there may be others, but deps.dev doesn't consume those attestations yet)

For example:

$ curl -s 'https://api.deps.dev/v3alpha/projects/github.com%2Feslint%2Fespree:packageversions' | jq
{
  "versions": [
    {
      "versionKey": {
        "system": "NPM",
        "name": "espree",
        "version": "9.6.1"
      },
      "slsaProvenances": [
        {
          "sourceRepository": "https://github.com/eslint/espree",
          "commit": "91ea3503112f380fba8eb2fb4cbeb7c6ebb71899",
          "url": "https://registry.npmjs.org/-/npm/v1/attestations/espree@9.6.1"
        }
      ]
    }
  ]
}

Thanks for filing this issue. I can see how this is confusing, since it's not very obvious from our documentation. I'll make sure we update it.

[edoardottt]

thank you so much for the explanation !

[adg]

We updated the docs: https://docs.deps.dev/api/v3alpha/#getprojectpackageversions

Thanks again!