OSV package intelligence

Find the right package, pick a real version, then check risk.

Autocomplete now shows popular packages immediately after ecosystem selection and can suggest known versions for supported registries.

Cached registry suggestions
Manual exact names always work
Pick the registry/source where the dependency actually comes from.
After selecting ecosystem, click here to see popular packages before typing.
Supported registries can show recent known versions. Lockfile version is still best.
Checks the exact ecosystem + package + version against OSV and local CVE enrichment.
Quick test examples

What package vulnerability checking does

This tool checks an ecosystem, package name, and version against known vulnerability data. It is useful for triage before upgrading dependencies or reviewing a suspicious software inventory item.

How to interpret severity

CVE identifiers describe known vulnerabilities. CVSS estimates technical severity, EPSS estimates exploitation probability, and KEV indicates vulnerabilities known to be exploited in the wild. Use these signals together rather than relying on one score.

Remediation workflow

  1. Confirm the package name and exact version.
  2. Review fixed versions and vendor advisories.
  3. Test the upgrade in staging or CI.
  4. Document exceptions when a finding is not reachable in your application.

Limitations

False positives and false negatives are possible. Package names can differ between ecosystems, backported patches may not change upstream version numbers, and a vulnerable library may not be exploitable in every deployment.

Related tools

Scan inventories with SBOM Vulnerability Scanner, inspect JSON with JSON Formatter, and verify downloaded files with Hash Generator.