npm Dependency Security Audit
The fastest way to scan npm dependencies for CVEs and get a fixed package.json. Paste your manifest — get back patched versions, CISA KEV flags, and a downloadable fixed file. No npm audit install needed.
How to scan npm dependencies
Paste your package.json into PackageFix. The tool queries the OSV vulnerability database live and returns:
- CVE table with severity badges (CRITICAL, HIGH, MEDIUM, LOW)
- CISA KEV flags — actively exploited packages highlighted in red
- Side-by-side diff: your versions vs fixed versions
- Download fixed package.json + changelog as .zip
- Renovate config + GitHub Actions workflow template
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
How do I scan npm dependencies for CVEs?
Paste your package.json into PackageFix. It queries the OSV vulnerability database live and returns a CVE table with fix versions.
What npm packages have the most CVEs?
Check the PackageFix fix guides for the most commonly CVE-flagged npm packages.
Does PackageFix support npm lockfiles?
Yes. Drop your lockfile alongside package.json for full transitive dependency scanning.
Is PackageFix free?
Yes — completely free, MIT licensed, open source.