Skip to main content

Documentation Index

Fetch the complete documentation index at: https://agentvolumes.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

The advisory API lets you discover security advisories for volumes hosted on a bibliotheca. You can list all advisories that affect a given volume or fetch a single advisory by its local ID. Advisory records follow a structured schema compatible with OSV-style range/event semantics. No authentication is required for read operations. Advisory write operations — create, update, withdrawal — are bibliotheca-local and not standardized in v0.1.

Endpoints

GET /api/v1/advisories?volume={name}
GET /api/v1/advisories/{advisoryId}

List advisories for a volume

volume
string
Volume name (scopeless or @scope/name). Returns all advisories that affect the specified volume.
GET /api/v1/advisories?volume=@acme/research-agent-pack

Fetch a single advisory

advisoryId
string
required
The bibliotheca-local advisory ID.
GET /api/v1/advisories/AV-2026-0042

Advisory response fields

id
object
required
Advisory identifier object.
source
object
required
Source ecosystem information.
severity
string
required
One of critical, high, medium, or low.
published
string
required
ISO 8601 timestamp when this advisory was first published.
updated
string
required
ISO 8601 timestamp of the most recent update to this advisory.
withdrawn
object
Present when the advisory has been withdrawn.
affected
object
required
Affected volume and version range information.
relationships
object[]
Advisory relationships for tracking supersession, related advisories, or duplicates.
summary
string
Short human-readable summary of the advisory.
details
string
Full human-readable details about the vulnerability.

Example advisory

{
  "id": {
    "local": "AV-2026-0042",
    "preferredExternal": "GHSA-xxxx-yyyy-zzzz",
    "aliases": ["CVE-2026-12345"]
  },
  "source": {
    "ecosystem": "ghsa",
    "url": "https://github.com/advisories/GHSA-xxxx-yyyy-zzzz"
  },
  "severity": "high",
  "published": "2026-05-01T12:00:00Z",
  "updated": "2026-05-10T09:30:00Z",
  "affected": {
    "volume": "@acme/research-agent-pack",
    "purl": "pkg:volume/%40acme/research-agent-pack",
    "ranges": [
      {
        "type": "semver",
        "events": [{ "introduced": "0" }, { "fixed": "1.4.0" }]
      }
    ]
  },
  "summary": "Prompt injection vulnerability in arxiv-search tool",
  "details": "Unsanitized query parameters in the arxiv-search component allow a malicious query string to inject instructions into the agent context."
}

List response envelope

The list endpoint returns a collection envelope: 
{
  "items": [
    { ... },
    { ... }
  ]
}

Affected version semantics

Affected version ranges use OSV-style event sequences. Read the events in order to determine which versions are affected:
  • introduced: "0" means affected from the beginning of version history
  • fixed: "1.4.0" means versions >= 0 and < 1.4.0 are affected
  • lastAffected: "1.3.9" means versions up to and including 1.3.9 are affected
Advisory targeting in v0.1 is volume-level only. Component-level impact metadata in componentImpact is informational and does not narrow or change the normative volume-level advisory target.
Scanner findings are not advisory records by themselves. A bibliotheca may create or update an advisory based on scanner information under local policy, but the portable contract is the advisory read and discovery model, not scanner-result interchange.