Python Dependency Security Audit
Scan requirements.txt for CVEs without installing pip-audit. Paste your manifest and get a fixed requirements.txt with safe versions from the OSV database. Supports poetry.lock for transitive scanning.
How to scan PyPI dependencies
Paste your requirements.txt into PackageFix. The tool queries the OSV vulnerability database live and returns:
- CVE table with severity badges (CRITICAL, HIGH, MEDIUM, LOW)
- CISA KEV flags — actively exploited packages highlighted in red
- Side-by-side diff: your versions vs fixed versions
- Download fixed requirements.txt + changelog as .zip
- Renovate config + GitHub Actions workflow template
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
How do I scan PyPI dependencies for CVEs?
Paste your requirements.txt into PackageFix. It queries the OSV vulnerability database live and returns a CVE table with fix versions.
What PyPI packages have the most CVEs?
Check the PackageFix fix guides for the most commonly CVE-flagged PyPI packages.
Does PackageFix support PyPI lockfiles?
Yes. Drop your lockfile alongside requirements.txt for full transitive dependency scanning.
Is PackageFix free?
Yes — completely free, MIT licensed, open source.