Know which vulnerabilities
actually matter

Upload your dependency manifest. Get a prioritized security report with real-world exploitation data. No signup required.

npmyarnpnpmbuncomposer

$ drop manifest here

npm, pnpm, bun, or composer manifest/lock files

How it works

Upload

Drop your manifest or lock file. Lock files unlock the full dependency graph with transitive dependencies.

Scan

We query the OSV database and cross-reference with CISA's Known Exploited Vulnerabilities catalog.

Prioritize

Results are sorted by real-world risk. Actively exploited vulnerabilities surface first.

What you get

CISA KEV Integration

Vulnerabilities in the Known Exploited Vulnerabilities catalog are flagged. Active threats with confirmed exploitation.

License Analysis

Identify copyleft, restrictive, and permissive licenses. Avoid compliance issues before they become problems.

CVSS Scoring

Each vulnerability includes severity ratings based on CVSS scores, helping you understand potential impact.

Dependency Graph

Visualize your entire dependency tree. See which packages introduce vulnerabilities through transitive dependencies.

SBOM Generation

Export CycloneDX 1.5 compliant Software Bill of Materials. Machine-readable inventory for supply chain security.

Evidence Trail

Timestamped audit log with SHA-256 checksums. Prove scan integrity to auditors and compliance teams.

Built for compliance teams

Security questionnaires ask about vulnerability management. Auditors want evidence of risk-based prioritization. DepShield provides both.

SOC 2ISO 27001FedRAMPHIPAAPCI DSS

Why prioritization matters

The average Node.js project has hundreds of dependencies. Running npm audit often returns dozens of vulnerabilities, most of which are low-risk or unexploitable in your context.

CISA's Known Exploited Vulnerabilities catalog changes this. It lists CVEs with confirmed exploitation in the wild. A medium-severity vulnerability on this list is more urgent than a critical CVE with no known exploits.

Federal agencies are required to remediate KEV entries within specific timeframes. Even if you're not a federal contractor, using KEV as a prioritization signal means focusing on vulnerabilities that attackers are actually using.

Latest Critical Vulnerabilities

Recent high-severity CVEs affecting popular packages

Start scanning

No account needed. Upload your package.json and get results in seconds.

Know which vulnerabilitiesactually matter