Send a `POST /v1/query` request to `https://api.osv.dev/v1/query` with a JSON body containing `{"package": {"name": "<pkg>", "ecosystem": "<eco>"}, "version": "<ver>"}`
Parse the `vulns` array in the response; each entry contains `id`, `aliases`, `summary`, `affected`, and `references` fields
For batch lookups, use `POST /v1/querybatch` with a `queries` array to check multiple packages in a single request
Cross-reference the returned `aliases` field to correlate OSV IDs with NVD CVE IDs or GHSA identifiers
Integrate the OSV API into your dependency update PR pipeline to annotate PRs that introduce or upgrade a vulnerable package
Known gotchas
The `ecosystem` value must exactly match the OSV ecosystem list (e.g., `PyPI`, `npm`, `Go`, `Maven`); incorrect casing or alternate names (e.g., `pip` instead of `PyPI`) will return no results
OSV does not always have severity scores; supplement with the NVD API if CVSS scores are required for risk gating
A package with no returned `vulns` is only known-safe at the time of the query; the OSV database is updated continuously and a clean result should not be cached indefinitely
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp