Traditional tools like npm audit often overwhelm developers with noisy output and low-context alerts. What we actually need is:<\/p>\n
- \n
- Accurate vulnerability detection<\/li>\n
- Minimal noise<\/li>\n
- Actionable output<\/li>\n<\/ul>\n
This is where OSV.dev (Open Source Vulnerabilities)<\/strong> comes in.<\/p>\n
\u00a0Why OSV.dev?<\/h1>\n
OSV.dev provides a unified vulnerability database<\/strong> that aggregates data from multiple ecosystems and security sources.<\/p>\n
Unlike traditional tools:<\/p>\n
- \n
- It focuses on real known vulnerabilities<\/strong><\/li>\n
- It supports precise version matching<\/strong><\/li>\n
- It reduces false positives<\/li>\n<\/ul>\n
It has already flagged multiple malicious npm packages like:<\/p>\n
- \n
- react-native-website \u2192 malicious code injected<\/li>\n
- react-native-latest \u2192 executes suspicious commands<\/li>\n
- react-native-show-message-extension \u2192 compromised package<\/li>\n<\/ul>\n
This proves one thing: you cannot trust dependencies blindly anymore.<\/p>\n
How Vulnerability Detection Works<\/h1>\n
The process is simple but powerful:<\/p>\n
- \n
- Read all installed dependencies<\/li>\n
- Extract exact versions (not ranges)<\/li>\n
- Send them to OSV.dev API<\/li>\n
- Check if vulnerabilities exist<\/li>\n
- Show ONLY affected packages<\/li>\n<\/ol>\n
Step 1: Read Installed Packages<\/h1>\n
We extract dependencies directly from:<\/p>\n
- \n
- package.json<\/li>\n
- node_modules (for exact installed version)<\/li>\n<\/ul>\n
\u00a0readPackages.js<\/h2>\n
const fs = require(\"fs\");<\/span>\r\nconst path = require(\"path\");<\/span>\r\n\r\nfunction getInstalledPackages(projectRoot) {<\/span>\r\nconst pkgPath = path.join(projectRoot, \"package.json\");<\/span>\r\nconst pkg = JSON.parse(fs.readFileSync(pkgPath, \"utf8\"));<\/span>\r\n\r\nconst allDeps = {<\/span>\r\n...pkg.dependencies,<\/span>\r\n...pkg.devDependencies,<\/span>\r\n};<\/span>\r\n\r\nconst result = [];<\/span>\r\n\r\nfor (const dep of Object.keys(allDeps)) {<\/span>\r\ntry {<\/span>\r\nconst depPkgPath = path.join(<\/span>\r\nprojectRoot,<\/span>\r\n\"node_modules\",<\/span>\r\ndep,<\/span>\r\n\"package.json\"<\/span>\r\n);<\/span>\r\n\r\nif (fs.existsSync(depPkgPath)) {<\/span>\r\nconst depPkg = JSON.parse(fs.readFileSync(depPkgPath, \"utf8\"));<\/span>\r\n\r\nresult.push({<\/span>\r\nname: dep,<\/span>\r\nversion: depPkg.version,<\/span>\r\n});<\/span>\r\n}<\/span>\r\n} catch (err) {<\/span>\r\n\/\/ ignore broken deps<\/span>\r\n}<\/span>\r\n}<\/span>\r\n\r\nreturn result;<\/span>\r\n}<\/span>\r\n\r\nmodule.exports = { getInstalledPackages };<\/span><\/pre>\nStep 2: Check Vulnerabilities via OSV<\/h1>\n
We call OSV\u2019s batch API:<\/p>\n
https:\/\/api.osv.dev\/v1\/querybatch<\/p>\n
This allows us to check multiple packages at once.<\/p>\n
\u00a0osvSecurity.js<\/h2>\n
const OSV_API = \"https:\/\/api.osv.dev\/v1\/querybatch\";<\/span>\r\n\r\nasync function checkVulnerabilities(packages) {<\/span>\r\nconst queries = packages.map((pkg) => ({<\/span>\r\npackage: {<\/span>\r\nname: pkg.name,<\/span>\r\necosystem: \"npm\",<\/span>\r\n},<\/span>\r\nversion: pkg.version,<\/span>\r\n}));<\/span>\r\n\r\nconst response = await fetch(OSV_API, {<\/span>\r\nmethod: \"POST\",<\/span>\r\nheaders: {<\/span>\r\n\"Content-Type\": \"application\/json\",<\/span>\r\n},<\/span>\r\nbody: JSON.stringify({ queries }),<\/span>\r\n});<\/span>\r\n\r\nconst data = await response.json();<\/span>\r\n\r\nconst vulnerablePackages = [];<\/span>\r\n\r\ndata.results.forEach((result, index) => {<\/span>\r\nif (result.vulns && result.vulns.length > 0) {<\/span>\r\nvulnerablePackages.push({<\/span>\r\nname: packages[index].name,<\/span>\r\nversion: packages[index].version,<\/span>\r\nvulnerabilities: result.vulns.map((v) => ({<\/span>\r\nid: v.id,<\/span>\r\nsummary: v.summary,<\/span>\r\nseverity: v.severity || \"UNKNOWN\",<\/span>\r\n})),<\/span>\r\n});<\/span>\r\n}<\/span>\r\n});<\/span>\r\n\r\nreturn vulnerablePackages;<\/span>\r\n}<\/span>\r\n\r\nmodule.exports = { checkVulnerabilities };<\/span><\/pre>\n\ud83d\udcc4 checkVulnerabilities.js (FINAL SCRIPT)<\/h1>\n
#!\/usr\/bin\/env node<\/span>\r\n\r\nconst path = require(\"path\");<\/span>\r\nconst { getInstalledPackages } = require(\".\/readPackages\");<\/span>\r\nconst { checkVulnerabilities } = require(\".\/osvSecurity\");<\/span>\r\n\r\nconst PROJECT_ROOT = process.cwd();<\/span>\r\n\r\nasync function run() {<\/span>\r\nconsole.log(\"\ud83d\udd0d Scanning for vulnerabilities...\\n\");<\/span>\r\n\r\nconst packages = getInstalledPackages(PROJECT_ROOT);<\/span>\r\n\r\nif (!packages.length) {<\/span>\r\nconsole.log(\"No packages found.\");<\/span>\r\nreturn;<\/span>\r\n}<\/span>\r\n\r\nconst vulnerable = await checkVulnerabilities(packages);<\/span>\r\n\r\nif (!vulnerable.length) {<\/span>\r\nconsole.log(\"\u2705 No vulnerabilities found.\");<\/span>\r\nreturn;<\/span>\r\n}<\/span>\r\n\r\nconsole.log(\"\ud83d\udea8 Vulnerable Packages Found:\\n\");<\/span>\r\n\r\nvulnerable.forEach((pkg) => {<\/span>\r\nconsole.log(`\ud83d\udce6 ${pkg.name}@${pkg.version}`);<\/span>\r\n\r\npkg.vulnerabilities.forEach((vuln) => {<\/span>\r\nconsole.log(` \u26a0\ufe0f ${vuln.id}`);<\/span>\r\nconsole.log(` \ud83d\udcdd ${vuln.summary || \"No description\"}`);<\/span>\r\nconsole.log(` \ud83d\udd25 Severity: ${vuln.severity}`);<\/span>\r\nconsole.log(\"\");<\/span>\r\n});<\/span>\r\n});<\/span>\r\n}<\/span>\r\n\r\nrun().catch((err) => {<\/span>\r\nconsole.error(\"Error:\", err.message);<\/span>\r\n});<\/span><\/pre>\nHow to Run<\/h1>\n
Install dependency:<\/p>\n
npm install node-fetch<\/span><\/pre>\nRun:<\/p>\n
node checkVulnerabilities.js<\/span><\/pre>\nSample Output<\/h1>\n
\ud83d\udd0d Scanning for vulnerabilities…<\/p>\n
\ud83d\udea8 Vulnerable Packages Found:<\/p>\n
\ud83d\udce6 lodash@4.17.15
\n\u26a0\ufe0f GHSA-xxxx
\n\ud83d\udcdd Prototype Pollution vulnerability
\n\ud83d\udd25 Severity: HIGH<\/p>\n\ud83d\udce6 minimist@0.0.8
\n\u26a0\ufe0f GHSA-yyyy
\n\ud83d\udcdd Arbitrary code execution issue
\n\ud83d\udd25 Severity: CRITICAL<\/p>\n<\/p>\n
![\"vulnerablePackages\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/04\/Screenshot-2026-04-06-at-10.56.08\u202fPM.png\")
vulnerablePackages<\/p><\/div>\n
Final Thought<\/h1>\n
Dependency security is no longer optional.<\/p>\n
With real-world incidents of malicious npm packages and even critical RCE vulnerabilities in widely used tools, relying on blind trust is risky.<\/p>\n
A simple terminal-based vulnerability scanner like this gives you:<\/p>\n
- \n
- Immediate visibility<\/li>\n
- Zero noise<\/li>\n
- Real security insights<\/li>\n<\/ul>\n
If it\u2019s not secure, it should be visible instantly.<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction Modern JavaScript applications\u2014especially React Native\u2014depend on hundreds of npm packages. The real risk isn\u2019t just outdated packages, but hidden vulnerabilities inside your dependency tree. Traditional tools like npm audit often overwhelm developers with noisy output and low-context alerts. What we actually need is: Accurate vulnerability detection Minimal noise Actionable output This is where OSV.dev […]<\/p>\n","protected":false},"author":1816,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":4},"categories":[5881],"tags":[1303,8570,5853,8569],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/79421"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1816"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=79421"}],"version-history":[{"count":3,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/79421\/revisions"}],"predecessor-version":[{"id":79668,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/79421\/revisions\/79668"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=79421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=79421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=79421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- It supports precise version matching<\/strong><\/li>\n
- It focuses on real known vulnerabilities<\/strong><\/li>\n