Closed edoardottt closed 10 months ago
This endpoint will return only packages that have a published provenance attestation. At the moment this is limited to some npm packages, as that's the only package manager with first party support for provenance attestations (or there may be others, but deps.dev doesn't consume those attestations yet)
For example:
$ curl -s 'https://api.deps.dev/v3alpha/projects/github.com%2Feslint%2Fespree:packageversions' | jq
{
"versions": [
{
"versionKey": {
"system": "NPM",
"name": "espree",
"version": "9.6.1"
},
"slsaProvenances": [
{
"sourceRepository": "https://github.com/eslint/espree",
"commit": "91ea3503112f380fba8eb2fb4cbeb7c6ebb71899",
"url": "https://registry.npmjs.org/-/npm/v1/attestations/espree@9.6.1"
}
]
}
]
}
Thanks for filing this issue. I can see how this is confusing, since it's not very obvious from our documentation. I'll make sure we update it.
thank you so much for the explanation !
We updated the docs: https://docs.deps.dev/api/v3alpha/#getprojectpackageversions
Thanks again!
Sorry, maybe I'm doing something wrong...
I'm trying to pull some data using this endpoint:
Same for other projects
However I always get a 404 no matter which package / project I choose...
How should I use this API?