Skip to content
>_ITDITDWeb Security Platform

Dependency Vulnerability Scanner

Paste a package.json, package-lock.json, or pnpm-lock.yaml. Each npm package is checked against OSV.dev (Google's open vulnerability database) and matched against known CVEs, with severity and the fixed version.

All parsing happens in your browser. Your pasted dependency list never passes through ITD's server — it goes straight from your browser to OSV.dev (CORS). ITD does not store, log, or proxy it.

Paste a dependency file and hit “Scan” to see results here. New here? Hit “Try an example” above.

How to use

  1. 1Paste your project's package.json, or the contents of package-lock.json / pnpm-lock.yaml.
  2. 2Hit “Scan” to check each package against OSV.dev (a lockfile gives the exact pinned versions; package.json infers from the declared ranges).
  3. 3Findings are shown by severity. Upgrade to the fixed version, and generate an AI prompt below to do it safely.

Why it matters

Dependencies are code you didn't write but are responsible for. Log4Shell and XZ both entered through a single dependency. OSV.dev aggregates GitHub Advisories and ecosystem advisories into an open vulnerability database you can query by npm package name + version. Accuracy depends on input — a lockfile (exact installed versions) is most accurate; package.json is an estimate from declared ranges. This tool is for a one-off check right now; your durable defense is automated dependency auditing in CI (GitHub Dependabot / `pnpm audit` / osv-scanner). ITD itself runs a dependency audit before every deploy and keeps known advisories at zero.

FAQ

QIs my pasted dependency list sent anywhere?
A

Not to ITD. Parsing happens in your browser, and the check is made directly from your browser to OSV.dev (api.osv.dev) over HTTPS. ITD never stores, logs, or proxies it.

QShould I paste package.json or a lockfile?
A

For accuracy, use a lockfile (package-lock.json or pnpm-lock.yaml): it reflects the exact installed versions, including transitive dependencies. package.json is an estimate from declared ranges (^1.2.3, etc.) — useful as a quick gauge.

QIf it shows zero vulnerabilities, am I safe?
A

No. It can't catch vulnerabilities not yet in OSV, misconfiguration, or flaws in your own code. This is a first-pass check for known CVEs. Continuous protection comes from automated auditing in CI (Dependabot / pnpm audit / osv-scanner).

QWhich formats are supported?
A

Currently the npm ecosystem (package.json / package-lock.json / pnpm-lock.yaml). yarn.lock and other ecosystems (PyPI, Go, etc.) aren't supported yet — OSV.dev itself is multi-ecosystem, so that's a candidate for later.

Related