PackageFix / Guides / Pre-commit Hooks

Dependency Security Scanning with Pre-commit Hooks

Catch vulnerable dependencies before they even enter your git history. Pre-commit hooks run automatically on every commit — no CI required.

Quick setup — npm projects

Add to your package.json scripts and use Husky:

# Install husky
npm install --save-dev husky
npx husky init

# Add to .husky/pre-commit:
#!/bin/sh
npm audit --audit-level=critical
if [ $? -ne 0 ]; then
  echo "Critical CVEs found. Fix before committing."
  echo "Run: npm audit fix or paste package.json into packagefix.dev"
  exit 1
fi

Using pre-commit framework (all ecosystems)

Create .pre-commit-config.yaml in your repo root:

repos:
  # OSV Scanner — works for all 7 ecosystems
  - repo: https://github.com/google/osv-scanner
    rev: v1.7.0
    hooks:
      - id: osv-scanner
        args: ['--fail-on-vuln']

  # npm audit (npm projects only)
  - repo: local
    hooks:
      - id: npm-audit
        name: npm audit
        entry: npm audit --audit-level=high
        language: system
        files: package\.json$
        pass_filenames: false

Install the hooks:

pip install pre-commit
pre-commit install

Python projects — pip-audit hook

repos:
  - repo: local
    hooks:
      - id: pip-audit
        name: pip-audit
        entry: pip-audit -r requirements.txt --fail-on critical
        language: system
        files: requirements\.txt$
        pass_filenames: false

Ruby projects — bundle-audit hook

repos:
  - repo: local
    hooks:
      - id: bundle-audit
        name: bundle audit
        entry: bundle audit check --update
        language: system
        files: Gemfile\.lock$
        pass_filenames: false

When a hook fails: Open PackageFix, paste your manifest, and download the fixed version. The pre-commit hook tells you there's a problem — PackageFix gives you the fixed file.

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

Should I block commits on HIGH severity CVEs?
It depends on your team. Blocking on CRITICAL is usually the right threshold — HIGH CVEs should be flagged but not necessarily block the commit. Too many blocks leads to developers bypassing the hook.
How do I skip the pre-commit hook in an emergency?
Run git commit --no-verify to bypass all pre-commit hooks. Use sparingly — the point of the hook is to catch vulnerabilities before they ship.
Does the PackageFix terminal one-liner work as a pre-commit hook?
The terminal one-liner opens a browser window — that's not suitable for a pre-commit hook. Use npm audit or OSV Scanner in the hook, then PackageFix manually for detailed analysis and fix downloads.
How do I install pre-commit?
Run pip install pre-commit, then pre-commit install in your repo root. It will run automatically on every git commit from that point.

Related

GitHub Actions Integration

Scan on every push

Terminal One-Liner

Pipe manifest from command line

CISA KEV Packages

Actively exploited right now

npm Security Guide

All npm vulnerability guides