agentutilityWhat it does
Send a Rust crate name. Get back the numbers.
curl -X POST https://x402.agentutility.ai/crates-io-stats \
-d '{"package": "serde", "recent_versions": 3}'
{
"package": "serde",
"latest_version": "1.0.219",
"latest_stable_version": "1.0.219",
"total_versions": 286,
"age_days": 3800,
"days_since_last_release": 12,
"license": "MIT OR Apache-2.0",
"repository": "https://github.com/serde-rs/serde",
"downloads": { "all_time": 425000000, "recent_90d": 26000000 },
"recent_versions": [
{ "version": "1.0.219", "published": "2026-05-06T...", "yanked": false, "edition": "2018", "rust_version": "1.31" },
{ "version": "1.0.218", "published": "2026-04-21T...", "yanked": false, "edition": "2018", "rust_version": "1.31" },
{ "version": "1.0.217", "published": "2026-03-15T...", "yanked": false, "edition": "2018", "rust_version": "1.31" }
]
}
$0.003 USDC. One call to crates.io. Same shape as the npm and pypi cousins.
The trio is complete
This week npm-package-stats and pypi-package-stats shipped. crates-io-stats closes the loop. Now an agent that wants "tell me about this dep" can ask the same question against any of the three major package ecosystems with the same response shape:
- Latest version + total version count
- Recent N versions with publish timestamps
- Days since last release (staleness signal)
- License + repo + docs URLs
- Download counts (across whatever windows the registry exposes)
Same call shape, same response shape. The only difference is which endpoint you route to.
What crates.io gives you that npm and pypi don't
A few Rust-specific fields worth noting in recent_versions:
edition— Rust 2015 / 2018 / 2021 / 2024. Tells you whether the crate uses async/await syntax, 2024 closure captures, etc.rust_version— the MSRV (minimum supported Rust version). Matters if you're locked to an older toolchain.crate_size— the .crate file size in bytes. Useful for build-time budget calculations.yanked— whether the maintainer marked this version unsafe to use. Crates.io doesn't remove yanked versions but they shouldn't be selected by new builds.
Public, commercial-clear
crates.io publishes the JSON API at crates.io/api/v1 and documents that commercial use is allowed provided requests carry an identifying User-Agent. We send agentutility/x402 (crates-io-stats; [email protected]). If they need to throttle a particular client, they have an identity to throttle.
This is the third package ecosystem we vetted for clean commercial-use terms, and the third where the answer was "yes, with a User-Agent". npm, PyPI, crates.io. The pattern is consistent: registries that exist to be indexed by tooling tend to allow per-call resale; storefronts that monetize their data don't (which is what tripped us in the Comppoint research).
What's NOT here
- No vulnerability data (RustSec, CVE) — that's a separate endpoint, similar to how
package-risk-npmcomplementsnpm-package-stats. Rust supply-chain risk is on the build list. - No source-code inspection — only the registry record
- No yank-reason text — crates.io shows yanked status but not the maintainer's stated reason
Use cases
Same as the npm and pypi cousins. Dependency dashboards. README badges. PR-review agents checking if a newly-added dep is mature enough. Migration assistants comparing two libraries by adoption.
A particularly Rust-flavored one: build-time dep verification. Cargo doesn't surface package age or last-release-date in cargo tree. An agent doing dependency hygiene can call this for each direct dep and flag the ones that haven't shipped in 18 months. Costs $0.003 per dep. A medium project with 80 direct deps: 24 cents to audit the whole tree.
Call it. Pairs with npm-package-stats and pypi-package-stats for cross-ecosystem dependency vetting.