pypi-package-stats: Python package stats at $0.003 per call

SUMMARY

Mirror of npm-package-stats for PyPI. Pulls metadata + downloads from PyPI JSON API and pypistats.org. Lightweight, no risk synthesis.

ARTICLE

What it does

Send a Python package name. Get back the numbers.

curl -X POST https://x402.agentutility.ai/pypi-package-stats \
  -d '{"package": "requests", "recent_versions": 3}'

{
  "package": "requests",
  "normalized_name": "requests",
  "latest_version": "2.31.0",
  "total_versions": 152,
  "age_days": 5300,
  "days_since_last_release": 220,
  "license": "Apache 2.0",
  "repository": "https://github.com/psf/requests",
  "downloads": {
    "last_day": 4800000,
    "last_week": 33500000,
    "last_month": 142000000
  }
}

$0.003 USDC per call. Two parallel fetches: the PyPI JSON record + pypistats.org recent downloads. One response.

The Python counterpart to npm-package-stats

This week the npm version of the same idea landed. PyPI gets the same treatment because the question "how alive is this dependency" comes up the same way regardless of language.

What an agent typically wants to know before touching a package:

Is it actively maintained? (days_since_last_release)
Is it used? (downloads.last_month)
What was the last version, and when? (recent_versions)
What's the license? (matters for compliance gates)
Where's the source? (matters for code-review agents)

All of that comes back in one call. No subscription, no API key, no per-package signup.

PEP 503 normalization

PyPI does a thing npm doesn't: case-insensitive, with - / _ / . all treated as equivalent separators. requests, Requests, REQUESTS, and re_quests all resolve to the same package. The endpoint normalizes via PEP 503 internally and returns both the input name and the canonical normalized form. If you're caching by package name, key off normalized_name, not package, or you'll cache the same package three times.

What's NOT here

No vulnerability data (CVE, GHSA, pip-audit) — call pypi-package-risk for the security audit at $0.01
No source-code inspection — only the registry document
No version-range resolution (no >=2.0,<3.0 solver) — pass an explicit version if you need pre-release behavior or yanked-version info

Edge cases

Yanked versions appear in recent_versions with yanked: true set
Missing fields (no homepage, no docs URL) return null
pypistats.org sometimes 502s for low-traffic packages; downloads degrade gracefully (individual windows return null, the rest of the response still comes through)
404 on a typo returns 404, not 502
Project URLs are scanned in order — Repository, Source, Source Code, Homepage — to find the most likely canonical repo link

Use cases

Dependency dashboards that watch 200 packages on a daily cron. ~60 cents per refresh. The same query against pypi-package-risk would be $2 — fine if you want the full risk write-up, overkill if you just want freshness signals.

Migration assistants comparing libraries. "Should we adopt httpx or stick with requests?" Now you can answer with hard numbers in two calls.

Code-review agents that read a PR adding a new dependency. Get the stats. Decide whether to surface "wait, this dep is 3 years stale" to the reviewer.

Call it. Pairs with npm-package-stats, pypi-package-risk, and package-risk-npm for full cross-ecosystem dependency vetting.

RELATED — referenced in this article

cluster · webprobe — Inspect any website. Pay per look.

endpoint · /pypi-package-stats — $0.003 USDC

NAVIGATION

← older (2026-05-18)

pr-description-from-diff: paste a diff, get a PR body for $0.01

newer (2026-05-18) →

regex-test: verify your regex against test cases for $0.002