Use PackageFix from the Terminal

Pipe any manifest directly into PackageFix from your terminal. The file is encoded as base64 and decoded in your browser — nothing is sent to a server.

The one-liner

$ npm

B64=$(base64 -i package.json) && open "https://packagefix.dev/?file=$B64"

$ pypi

B64=$(base64 -i requirements.txt) && open "https://packagefix.dev/?file=$B64"

$ ruby

B64=$(base64 -i Gemfile) && open "https://packagefix.dev/?file=$B64"

$ php

B64=$(base64 -i composer.json) && open "https://packagefix.dev/?file=$B64"

$ go

B64=$(base64 -i go.mod) && open "https://packagefix.dev/?file=$B64"

$ rust

B64=$(base64 -i Cargo.toml) && open "https://packagefix.dev/?file=$B64"

$ java

B64=$(base64 -i pom.xml) && open "https://packagefix.dev/?file=$B64"

Linux (replace open with xdg-open)

B64=$(base64 -w0 -i package.json) && xdg-open "https://packagefix.dev/?file=$B64"

Add it as an npm script

{
  "scripts": {
    "audit-browser": "B64=$(base64 -i package.json) && open \"https://packagefix.dev/?file=$B64\""
  }
}

Then run: npm run audit-browser

Add it as a Makefile target

audit:
	B64=$$(base64 -i package.json) && open "https://packagefix.dev/?file=$$B64"

How it works

base64 encodes your manifest file into a URL-safe string
The encoded string is passed as a ?file= query parameter
PackageFix decodes it in your browser using atob()
Ecosystem is auto-detected from the file content
The file is pre-loaded in the scan interface — click Scan to run
Nothing is sent to any server at any point

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

Does my manifest file get sent to a server?

No. The base64-encoded manifest is decoded entirely in your browser using JavaScript's atob() function. No data is sent to any server — the URL parameter is processed client-side only.

What if my manifest is too large for a URL?

For very large manifests (>10,000 dependencies), the URL may exceed browser limits. In that case, use the drag-and-drop upload on the main page instead.

Does this work with all 7 ecosystems?

Yes. PackageFix auto-detects the ecosystem from the file content. The same base64 technique works for package.json, requirements.txt, Gemfile, composer.json, go.mod, Cargo.toml, and pom.xml.

Can I add this to a Makefile or npm script?

Yes. Add it as a script: {"scripts": {"audit-browser": "B64=$(base64 -i package.json) && open \"https://packagefix.dev/?file=$B64\""}}, then run npm run audit-browser.

Why doesn't curl packagefix.dev/api work?

PackageFix is intentionally client-side only — no backend, no API. The browser is the runtime. The terminal one-liner opens a browser window rather than making a CLI call.