Should a lookup of a package, with the version, return published_at?

[jamietanna]

When looking up a pURL with a version, we receive the following JSON, i.e. via https://packages.ecosyste.ms/api/v1/packages/lookup?purl=pkg:npm/[email protected]:

[
  {
    "advisories": [

    ],
    "created_at": "2022-04-10T02:31:47.119Z",
    "dependent_packages_count": 155,
    "dependent_packages_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/type-of/dependent_packages",
    "dependent_repos_count": 169150,
    "dependent_repositories_url": "https://repos.ecosyste.ms/api/v1/usage/npm/type-of/dependencies",
    "description": "Type assertions aka less-broken typeof.",
    "docker_dependents_count": 156,
    "docker_downloads_count": 20876211,
    "docker_usage_url": "https://docker.ecosyste.ms/usage/npm/type-of",
    "documentation_url": null,
    "downloads": 1462316,
    "downloads_period": "last-month",
    "ecosystem": "npm",
    "first_release_published_at": "2013-06-28T04:23:24.940Z",
    "homepage": null,
    "install_command": "npm install type-of",
    "keywords_array": [

    ],
    "last_synced_at": "2024-02-05T07:41:10.691Z",
    "latest_release_number": "2.0.1",
    "latest_release_published_at": "2014-01-06T20:28:06.503Z",
    "licenses": "MIT",
    "maintainers": [
      {
        "created_at": "2022-11-10T11:46:54.530Z",
        "email": "[email protected]",
        "html_url": "https://www.npmjs.com/~forbeslindesay",
        "login": "forbeslindesay",
        "name": null,
        "packages_count": 757,
        "packages_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/forbeslindesay/packages",
        "role": null,
        "updated_at": "2022-11-10T11:46:54.530Z",
        "url": null,
        "uuid": "forbeslindesay"
      }
    ],
    "metadata": {
      "dist-tags": {
        "latest": "2.0.1"
      },
      "funding": null
    },
    "name": "type-of",
    "namespace": null,
    "normalized_licenses": [
      "MIT"
    ],
    "purl": "pkg:npm/type-of",
    "rankings": {
      "average": 0.2063150946785471,
      "dependent_packages_count": 0.26743308783905156,
      "dependent_repos_count": 0.08477801900591521,
      "docker_downloads_count": 0.24602586865127918,
      "downloads": 0.22702340321794248,
      "forks_count": null,
      "stargazers_count": null
    },
    "registry": {
      "created_at": "2022-04-04T15:19:23.081Z",
      "default": true,
      "ecosystem": "npm",
      "github": "npm",
      "icon_url": "https://github.com/npm.png",
      "keywords_count": 740084,
      "maintainers_count": 820150,
      "maintainers_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers",
      "metadata": {
        "funded_packages_count": 114597
      },
      "name": "npmjs.org",
      "namespaces_count": 221475,
      "namespaces_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/namespaces",
      "packages_count": 3632728,
      "packages_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages",
      "updated_at": "2024-02-06T13:05:25.143Z",
      "url": "https://registry.npmjs.org"
    },
    "registry_url": "https://www.npmjs.com/package/type-of",
    "related_packages_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/type-of/related_packages",
    "repo_metadata": {
    },
    "repo_metadata_updated_at": "2024-02-05T07:41:50.222Z",
    "repository_url": "https://github.com/ForbesLindesay/type-of",
    "status": null,
    "updated_at": "2024-02-05T07:41:50.251Z",
    "usage_url": "https://repos.ecosyste.ms/usage/npm/type-of",
    "version_numbers_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/type-of/version_numbers",
    "versions_count": 2,
    "versions_url": "https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/type-of/versions"
  }
]

Note that there's no indication of the publish date of the package version we've looked up.

Compare this to the version lookup API,i.e. https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/type-of/versions/2.0.1 we see:

{
  "created_at": "2022-04-10T02:31:47.183Z",
  "dependencies": [
    {
      "ecosystem": "npm",
      "kind": "Development",
      "optional": false,
      "package_name": "tape",
      "requirements": "~2.3.2"
    }
  ],
  "documentation_url": null,
  "download_url": "https://registry.npmjs.org/type-of/-/type-of-2.0.1.tgz",
  "install_command": "npm install [email protected]",
  "integrity": null,
  "licenses": "MIT",
  "metadata": {
  },
  "number": "2.0.1",
  "published_at": "2014-01-06T20:28:06.503Z",
  "purl": "pkg:npm/[email protected]",
  "registry_url": "https://www.npmjs.com/package/type-of/v/2.0.1",
  "related_tag": null,
  "status": null,
  "updated_at": "2022-04-10T02:31:47.183Z"
}

Is this expected? (Happy if yes is the answer!) Or is there something we can do to expose published_at if we see that it's a lookup of a given version number?

Upvote & Fund

• We're using Polar.sh so you can upvote and help fund this issue.
• We receive the funding once the issue is completed & confirmed by you.
• Thank you in advance for helping prioritize & fund our backlog.

[andrew]

Currently the lookup endpoint doesn’t support looking up particular versions, you’ll need to make a second request to the versions end point.

We can potentially add that ability, will need to change or adapt the response to make sense for both with and without a version

[jamietanna]

Ah OK, that explains it then! I'm happy to call out to the versions API then, as I then have all the metadata I need to do so (namely the Registry)

[andrew]

You can also add your version number and a slash to the end of versions_url