Skip to content

DebaA17/vuln-scan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vuln-scan

npm downloads npm version CI license

A Node.js CLI that scans a project’s lockfile (npm / pnpm / yarn) to find known vulnerabilities using the OSV.dev API.

Features

  • Detects package manager by lockfile:
    • npm: package-lock.json
    • pnpm: pnpm-lock.yaml
    • yarn: yarn.lock
  • Reads exact installed versions from the lockfile
  • Queries OSV (https://api.osv.dev/v1/query) per dependency
  • Colored, human-readable table output (chalk + cli-table3)
  • Spinner while scanning (ora)
  • Optional --json output for automation
  • Includes fix version when OSV provides one

Demo

vuln-scan demo

Install / Run

Run with npx

npx vuln-scan

Run with pnpm

pnpm dlx vuln-scan

Install globally

npm i -g vuln-scan
vuln-scan

This package also exposes vuln-scan-cli as an alias:

npx vuln-scan -- --json
npx vuln-scan-cli
vuln-scan-cli --json

Usage

vuln-scan
vuln-scan --json

Notes

  • Requires Node.js >= 18 (uses built-in fetch).
  • Scans both dependencies and devDependencies as recorded in the lockfile.

Development

pnpm install
node ./cli.js
node ./cli.js --json

Security

See SECURITY.md for vulnerability reporting and PGP details.

About

A CLI tool that scans your npm, pnpm, and yarn dependencies for known vulnerabilities using the OSV.dev and National Vulnerability Database

Topics

Resources

License

Security policy

Stars

2 stars

Watchers

0 watching

Forks

Sponsor this project

  •  

Contributors