What file types does the vulnerability scanner support?

The scanner supports package.json, requirements.txt, go.mod, Gemfile, Cargo.toml, pom.xml, and composer.json. It detects technologies automatically and checks each against CVE databases and end-of-life schedules.

How are health grades calculated?

Each technology gets a grade from A to F based on four factors: whether the version is still supported, how close it is to end of life, how many known CVEs exist for that version, and how far behind the latest release it is.

Is the vulnerability scanner free?

Yes, the web scanner is completely free with no account required. You can also run scans via the CLI with npx releaserun check, which is also free.

Does it check for CVEs?

Yes, the scanner checks each detected technology version against known CVE databases and reports the number of vulnerabilities found, their severity, and links to advisories.

Can I use this in CI/CD pipelines?

Yes. Install the CLI with npm install -g releaserun, then run releaserun ci --fail-on D to fail builds when any dependency scores below a D grade.

Dependency Vulnerability Scanner

Paste your dependency file and get an instant vulnerability report with severity ratings, CVSS scores, and fix recommendations. Powered by the OSV.dev vulnerability database.

100% client-side No signup required Results in seconds Your files never leave the browser

Upload file Or paste content above and we’ll auto-detect the format

Scanning dependencies…

Querying OSV.dev vulnerability database

Parsing Error

Dependencies

Vulnerable

Clean

Total Vulns

Severity Breakdown

Dependency Report

Package ↕	Version ↕	Severity ↓	CVSS ↕	Vulnerabilities ↕	Fix Version

Run EOL Scanner →

How It Works

📋

Paste or Upload

Drop in your dependency file. We support 7 formats across Node.js, Python, Go, Ruby, Rust, Java, and PHP.

🔍

Scan Every Package

Each dependency is checked against the OSV.dev vulnerability database – the same data source used by Google and GitHub.

📊

Get Your Report

Severity ratings, CVSS scores, vulnerability IDs, and fix version recommendations for every vulnerable package.

Supported File Types

package.json

Node.js/npm – parses dependencies, devDependencies, and handles ^, ~, >= version ranges

requirements.txt

Python/PyPI – parses pinned (==) and constrained (>=, ~=) versions, skips comments and flags

go.mod

Go modules – parses require blocks and single require statements with semantic versions

Gemfile / Gemfile.lock

Ruby/RubyGems – parses gem declarations with version constraints and lockfile specs

Cargo.toml

Rust/crates.io – parses [dependencies] section with inline and table version formats

pom.xml

Java/Maven – parses dependency blocks with groupId:artifactId format

composer.json

PHP/Packagist – parses require and require-dev objects with Composer version constraints

FAQ

Is my dependency file sent to your servers?

No. All parsing happens in your browser using JavaScript. The only external call is to the OSV.dev public API to look up known vulnerabilities. Your code and file contents never touch our servers.

What vulnerability database does this use?

We use OSV.dev (Open Source Vulnerabilities), maintained by Google. It aggregates data from the GitHub Advisory Database, PyPI Advisory Database, RustSec, Go Vulnerability Database, and more. It covers npm, PyPI, Go, RubyGems, crates.io, Maven, and Packagist ecosystems.

How accurate are the CVSS scores?

CVSS scores come directly from the vulnerability advisories in OSV.dev. When a CVSS score is not available in the advisory, we display the severity level (Critical/High/Medium/Low) based on the advisory’s own severity classification. Some advisories may not include a CVSS score.

Can I scan packages without pinned versions?

We need a version to check against. If your file uses unpinned ranges (like “latest” or “*”), we’ll skip those packages since we can’t determine the exact version you’re running. For the most accurate scan, use a lockfile (package-lock.json, Gemfile.lock, etc.) or pin your versions.

What does “fix version” mean?

The fix version is the earliest version of the package where the vulnerability has been patched, as reported by the advisory. Upgrading to this version (or later) should resolve the specific vulnerability. Some vulnerabilities may not have a fix available yet.

Can I use this in CI/CD?

This is a browser-based tool. For CI/CD integration, check out osv-scanner, Google’s official CLI tool that uses the same OSV.dev database.

Go deeper with your stack health

Vulnerability scanning is just the start. Check EOL status, generate health badges, and plan your next upgrade with our full suite of free developer tools.

Dependency EOL Scanner → Stack Health Scorecard Migration Estimator