# minimal.dev > Minimal builds hermetic, reproducible development environments backed by a > curated package catalog with supply-chain security surfaces: per-package > advisories, dependency graphs, SBOMs, and OpenSSF scorecard rollups. The package catalog tracks the gominimal/pkgs repository. Every catalog surface is anchored at a commit sha of that repo — either floating with the latest commit or pinned to a specific sha (immutable, content-addressed). ## Pages - [Home](https://minimal.dev/): product overview of Minimal's hermetic build environments - [Whitepaper](https://minimal.dev/whitepaper): why and how hermetic, reproducible environments work - [Company](https://minimal.dev/company): team and open roles - [Documentation](https://docs.minimal.dev/): guides and reference for Minimal — getting started, the dev shell, agent shell, building, and tasks - [Detonate docs](https://detonate.dev/docs): documentation for detonate.dev, Minimal's malware-analysis surface ## Package markdown mirrors - [/pkgs/{name}.md](https://minimal.dev/pkgs/jq.md): every package detail page at /pkgs/{name} has a markdown mirror at /pkgs/{name}.md — version, install command, direct + transitive advisories, dependencies, scorecard, and links, anchored at the latest commit (the example URL is the mirror for the jq package) ## Package JSON API - [/api/pkgs/bundle/latest.json](https://minimal.dev/api/pkgs/bundle/latest.json): 302 redirect to the sha-pinned listing bundle for the latest commit; cache max-age=60 - [/api/pkgs/bundle/{sha}.json](https://minimal.dev/api/pkgs/bundle/{sha}.json): listing-tier projection of every package at a commit; sha-pinned, immutable cache - [/api/pkgs/bundle/{sha}/full.json](https://minimal.dev/api/pkgs/bundle/{sha}/full.json): full composed record for every package at a commit, including the transitive-advisory rollup — everything at a snapshot in one request; sha-pinned, immutable cache - [/api/pkgs/{name}.json](https://minimal.dev/api/pkgs/jq.json): full per-package record; floats with the latest commit (max-age=60, s-maxage=3600, stale-while-revalidate) - [/api/pkgs/{name}/sbom.json](https://minimal.dev/api/pkgs/jq/sbom.json): CycloneDX 1.5 SBOM with the transitive build+runtime closure and vulnerabilities (append ?format=spdx for SPDX 2.3); floats with the latest commit - [/api/pkgs/bundle/{sha}/{name}/sbom.json](https://minimal.dev/api/pkgs/bundle/{sha}/{name}/sbom.json): same SBOM pinned to a commit for reproducible point-in-time output; sha-pinned, immutable cache - [/api/pkgs/bundle/{sha}/{name}/versions.json](https://minimal.dev/api/pkgs/bundle/{sha}/{name}/versions.json): version-history timeline for a package at a commit; sha-pinned, content-addressed cache - [/api/pkgs/bundle/{sha}/{name}/deps.json](https://minimal.dev/api/pkgs/bundle/{sha}/{name}/deps.json): direct dependencies with version, license, and advisory rollup at a commit; sha-pinned, content-addressed cache - [/api/pkgs/recent-commits.json](https://minimal.dev/api/pkgs/recent-commits.json): recent commits on gominimal/pkgs:main with subjects; floats with the live tip - [/api/pkgs/bundle/{sha}/diff/{base}.json](https://minimal.dev/api/pkgs/bundle/{sha}/diff/{base}.json): catalog diff from base (older) to sha (newer) — packages added/removed, upgrades, advisory deltas; pair-addressed, immutable cache - [/api/pkgs/openapi.json](https://minimal.dev/api/pkgs/openapi.json): OpenAPI 3.1 description of every endpoint above, schemas generated from the served wire shapes ## Feeds - [/pkgs/advisories.xml](https://minimal.dev/pkgs/advisories.xml): Atom feed of security advisories across the catalog, newest first; floats with the latest commit