OSV Watch
Check for security vulnerabilities in your packages using the OSV (Open Source Vulnerabilities) database
Real-time Scanning
Instantly check your package versions against the latest vulnerability database
Multi-Ecosystem Support
Supports 38+ ecosystems including npm, PyPI, Maven, Go, NuGet, RubyGems, Cargo, Packagist, and more
Detailed Reports
Get comprehensive vulnerability details including CVEs, affected versions, and references
Supported Ecosystems
Understanding Vulnerabilities
A security vulnerability is a weakness or flaw in software that can be exploited by attackers to gain unauthorized access, steal data, or cause damage to systems. Vulnerabilities can exist in any software component, including dependencies and third-party libraries.
Common Types of Vulnerabilities:
- SQL Injection: Allows attackers to manipulate database queries
- Cross-Site Scripting (XSS): Enables injection of malicious scripts into web pages
- Remote Code Execution (RCE): Allows attackers to execute arbitrary code on your system
- Denial of Service (DoS): Can crash or overwhelm your application
- Authentication Bypass: Allows unauthorized access to protected resources
How to Resolve Vulnerabilities
Step 1: Review the Vulnerability Details
Click on any vulnerability to see detailed information including:
- Affected version ranges
- Severity level and CVSS scores
- Detailed description and impact
- References to security advisories
- Patched versions or workarounds
Step 2: Update to a Secure Version
The most common and recommended solution is to update the affected package to a version that has the vulnerability patched. Check the vulnerability details to see which versions are safe.
Security Best Practices
🔄 Regular Updates
Keep all dependencies updated to their latest secure versions. Schedule regular security audits at least monthly or before major releases.
🤖 Automated Scanning
Integrate vulnerability scanning into your CI/CD pipeline using tools like Dependabot, Snyk, or npm audit.
📌 Dependency Pinning
Use exact version numbers or lock files to prevent unexpected updates and maintain version control over your dependencies.
🚨 Prioritize Critical Issues
Focus on high and critical severity vulnerabilities first. These pose the greatest risk to your application and users.
📧 Security Advisories
Subscribe to security mailing lists for your dependencies to stay informed about new vulnerabilities and patches.
👀 Code Review
Review dependency updates before merging to production to ensure compatibility and security.
📦 Minimize Dependencies
Only include dependencies you actually need. Fewer dependencies mean fewer potential vulnerabilities to manage.
About OSV (Open Source Vulnerabilities)
OSV is a distributed vulnerability database and service that aggregates security advisories from multiple sources. It provides a standardized format for vulnerability information, making it easier for developers to check if their dependencies are affected by known security issues.
Why OSV Matters:
- Unified Database: Aggregates vulnerabilities from multiple sources (GitHub, npm, PyPI, etc.)
- Standardized Format: Uses a consistent schema across all ecosystems
- Real-time Updates: Continuously updated with the latest security advisories
- Open Source: Free and open for everyone to use and contribute
- API Access: Easy integration with automated security tools