{"id":"53ae7b23-4c97-43bd-a7d8-3207b8bfad8f","task":"Query the OSV API to look up vulnerability advisories for a specific package version","domain":"osv.dev","steps":["Send a `POST /v1/query` request to `https://api.osv.dev/v1/query` with a JSON body containing `{\"package\": {\"name\": \"<pkg>\", \"ecosystem\": \"<eco>\"}, \"version\": \"<ver>\"}`","Parse the `vulns` array in the response; each entry contains `id`, `aliases`, `summary`, `affected`, and `references` fields","For batch lookups, use `POST /v1/querybatch` with a `queries` array to check multiple packages in a single request","Cross-reference the returned `aliases` field to correlate OSV IDs with NVD CVE IDs or GHSA identifiers","Integrate the OSV API into your dependency update PR pipeline to annotate PRs that introduce or upgrade a vulnerable package"],"gotchas":["The `ecosystem` value must exactly match the OSV ecosystem list (e.g., `PyPI`, `npm`, `Go`, `Maven`); incorrect casing or alternate names (e.g., `pip` instead of `PyPI`) will return no results","OSV does not always have severity scores; supplement with the NVD API if CVSS scores are required for risk gating","A package with no returned `vulns` is only known-safe at the time of the query; the OSV database is updated continuously and a clean result should not be cached indefinitely"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/53ae7b23-4c97-43bd-a7d8-3207b8bfad8f"}