← Back to home

Paste your manifest. Get back the fixed files.No login. No GitHub. No CLI.

Drop manifest here or click to upload

package.json, requirements.txt, Gemfile, composer.json

Drop lockfile here (optional)

package-lock.json, poetry.lock, Gemfile.lock, composer.lock


      

    


    

      
 Parsing manifest...

      
 Fetching current versions from registry...

      
 Checking OSV vulnerability database...

      
 Checking CISA KEV catalog...

      
 Computing fix versions...

    


    

      

    


    

    

      
How it works

      

        

          
1. Paste

          
Drop your manifest

          
file or try an example

        

        

          
2. Scan

          
Live CVE lookup

          
from OSV database & CISA KEV

        

        

          
3. Download

          
Fixed manifest +

          
changelog .zip in one click

        

      

      
Frequently asked questions

      

        

          
Does my manifest file leave my browser?+

          
No. Parsing happens entirely in your browser. Only package names and version ranges are sent to public APIs (OSV, npm registry, PyPI, RubyGems, Packagist) — the same requests any package manager makes. Your actual code and file contents never leave your device.

        

        

          
How current is the vulnerability data?+

          
The OSV database updates continuously — vulnerabilities published yesterday, zero-days from this morning, and safe fix versions released last week are all reflected. This is data no AI model can give you from training alone.

        

        

          
What is the CISA KEV catalog?+

          
The CISA Known Exploited Vulnerabilities catalog lists vulnerabilities actively being exploited in real attacks right now. A package flagged with 🔴 KEV should be treated as an emergency fix, not a routine update.

        

        

          
How is this different from Snyk or Dependabot?+

          
Snyk and Dependabot require a GitHub connection, CLI install, or account signup. PackageFix runs entirely in your browser — nothing installed, nothing connected, nothing written to your system. Paste your file, get back the fixed version in seconds. Safe to use even where third-party integrations are blocked by security policy.