Skip to main content
A vulnerability is a disclosed security flaw in a package’s code. The package is legitimate; the flaw is a mistake, not an attack. Unlike a malicious package, which is harmful by design, a vulnerable package became exploitable by accident. Vulnerabilities are tracked under identifiers like CVEs and aggregated in open databases such as OSV. Each carries a severity, for example CRITICAL or HIGH, that signals how urgent a fix is.

How SafeDep surfaces them

Vet checks every dependency against OSV and reports known vulnerabilities with their severity. You decide what to do about them with policy: for example, fail a build when any dependency has a CRITICAL or HIGH vulnerability.

Malicious Package

The other kind of dependency risk: packages that are harmful by design.

Policy

Gate builds on vulnerability severity.

Repository Scanning

Scan a repository’s dependencies for known vulnerabilities.

SBOM

Inventory the components you ship.