📄 List of GitHub Repositories of the API3 DAO
This document serves as a single source of truth for all repositories in the organization and the individuals responsible for managing design decisions and dependencies.
Repository States and Roles
Each repository is in one of three states, each in its own section below:
- Active — Has both a Code Owner and a Dependencies Owner. The repository is under active development with dependency updates being tracked. Each repository MUST implement the organization policy for the package management.
- Finalized — Has a Code Owner but no Dependencies Owner. The repository is feature-complete and stable; dependencies are not actively updated, but the Code Owner remains responsible for the codebase. Such repository CAN, but isn't forced to update to the organization policy regarding package management. The repo should be archived on GitHub only after permission from the Code Owner (or leadership).
- Archived — Has neither a Code Owner nor a Dependencies Owner. The repository is no longer relevant and is archived on GitHub. It is not listed in this document at all.
There are two roles:
- Dependencies Owner — The designated individual(s) responsible for updating dependencies, watching for necessary updates or security patches, and managing the configuration of the Renovate bot as defined by the organization policy.
- Code Owner — The designated individual responsible for critical decisions and overseeing code quality to ensure it aligns with design specifications. The Code Owner has the final say on how dependencies are managed. In deadlock situations, the Code Owner has the authority to make the final call. Note, that the Code Owner doesn't need to be explicitly specified in the GitHub CODEOWNERS in the repo, but if it is - it needs to match.
Package Management
TLDR: Each active JS repository with packages MUST use pnpm@10 and above and use the organization Renovate config. Repositories may optionally define overrides on an as-needed basis. Packages using different tech stacks should opt-in similar policies using the appropriate alternatives of what the tech-stack offers.
The current software ecosystem moves fast, especially since the introduction of AI and vibe coding. It is extremely easy to introduce a vulnerability and let the agents blindly execute it behind the curtains. The JS ecosystem has always been known for the prevalence of malicious code in widely used dependencies. Just to name a few:
- https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the
- https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild
- https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
- https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html?m=1
For this reason, we have created an organizational strategy for dependency management and the use of a safe package manager that every new repository must follow. All of the details behind the process can be found in:
- https://github.com/api3dao/tasks/issues/1777
- https://github.com/api3dao/tasks/issues/1855
- https://github.com/api3dao/renovate-config
Active Repositories
Finalized Repositories
Finalized repositories are recommended to define a Renovate config with dependency updates disabled to avoid unnecessary PRs.