
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@opencode-ai/models
Advanced tools
Official typed client for the models.dev API — an open database of AI model capabilities, pricing, and limits
Official typed client for the models.dev API — an open-source database of AI model capabilities, pricing, and limits.
npm install @opencode-ai/models
fetch wrapper; works on Node ≥ 18, Bun, Deno, browsers, and edge runtimes.import { Models } from "@opencode-ai/models"
const client = Models.make()
const providers = await client.providers() // GET /api.json
providers["anthropic"]?.models["claude-opus-4-6"]?.cost?.input // USD per 1M tokens
const models = await client.models() // GET /models.json
models["anthropic/claude-opus-4-6"]?.knowledge // provider-agnostic metadata
const catalog = await client.catalog() // GET /catalog.json — both in one request
| Method | Endpoint | Contents |
|---|---|---|
providers() | /api.json | Providers with their models, pricing, and limits |
models() | /models.json | Provider-agnostic model metadata, keyed by <lab>/<model> |
catalog() | /catalog.json | { providers, models } in a single payload |
The client is stateless: every call performs exactly one GET, nothing is cached, and lookups are plain object access on the returned data. Cache however you like:
let cached: Promise<ProviderMap> | undefined
const providers = () => (cached ??= client.providers())
Options:
const client = Models.make({
baseUrl: "https://models.dev", // default
fetch: myFetch, // proxies, polyfills, test doubles
headers: { "x-extra": "1" }, // sent with every request
})
await client.providers({ signal: AbortSignal.timeout(5000) })
Errors are a single ModelsDevError with reason: "Transport" | "UnexpectedStatus" | "MalformedResponse" and the underlying cause.
A full copy of the database ships inside the package as a separate, tree-shakable entrypoint — nothing from it is loaded or bundled unless you import it:
import snapshot, { providers, models, generatedAt } from "@opencode-ai/models/snapshot"
providers["anthropic"]?.models["claude-opus-4-6"]?.limit.context
Use it for no-network runtimes, tests, cold-start-sensitive paths, or as an explicit fallback:
const providers = await client.providers().catch(async () => (await import("@opencode-ai/models/snapshot")).providers)
Freshness: the published snapshot is at most ~24h behind the live API (data releases are automated). The client is the freshness path; the snapshot is the availability path.
An Effect-native client lives at @opencode-ai/models/effect (requires the optional peer dependency effect):
import { Models } from "@opencode-ai/models/effect"
import { FetchHttpClient } from "effect/unstable/http"
import { Effect } from "effect"
const program = Effect.gen(function* () {
const client = yield* Models.make()
return yield* client.providers() // Effect<ProviderMap, ModelsDevError>
})
await program.pipe(Effect.provide(FetchHttpClient.layer), Effect.runPromise)
Transport comes from the environment's HttpClient service, so proxies, retries, tracing, and test transports compose the usual Effect way. For DI, Models.Service and Models.layer(options?) are provided:
const program = Effect.gen(function* () {
const client = yield* Models.Service
return yield* client.models()
})
program.pipe(Effect.provide(Models.layer().pipe(Layer.provide(FetchHttpClient.layer))))
All data types are exported from the root (and re-exported from /effect): Provider, Model, ModelMetadata, Catalog, Cost, Limit, ReasoningOption, and friends.
The data lives as TOML files in anomalyco/models.dev — corrections and new models/providers are welcome there. This package is generated and published from that repository.
FAQs
Official typed client for the models.dev API — an open database of AI model capabilities, pricing, and limits
The npm package @opencode-ai/models receives a total of 1,274 weekly downloads. As such, @opencode-ai/models popularity was classified as popular.
We found that @opencode-ai/models demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.