CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

Pin your 3rd Party Github Actions and Docker Images dependencies.

Dependency safety gate for Claude Code & Codex CLI — OSV pre-approval, npm lockfile-closure enforcement, and auto-rollback. Local, zero runtime deps.

Secure your dependencies before they land in production. secure-packages audits package source, reviews new-version diffs, and blocks risky updates in CI/CD, starting with PyPI.

🛡️ AI-powered vulnerability scanner that automatically detects, analyzes, and fixes security issues in npm packages with intelligent code transformations. Supports GitHub Actions, CLI, Docker, and VS Code integration with Microsoft Teams notifications.

Sentinel Package Manager blocks compromised packages BEFORE installation, preventing malicious code execution. Features: Pre-install blocking, command interception (npm/yarn/pnpm/bun), 795+ blacklist (Shai-Hulud), real-time checks (OSV/GitHub/Snyk), zero dependencies, auto-updates. Counters supply chain attacks.

👻 Stop installing packages that don't exist. When AI hallucinates names like "flask-gpt-helper", attackers register them as malware. Phantom Guard detects slopsquatting attacks across PyPI, npm & crates.io before you install.

Supply-chain policy gate for npm, pnpm, yarn, and PyPI. Blocks risky dependencies before install.

Ubel is a fast, cross‑ecosystem security engine that resolves dependencies, generates PURLs, scans them through OSV.dev, and enforces security policies during installation to prevent supply-chain attacks. It works with: PyPI (via ubel-pip), npm (via ubel-npm),and Linux distributions (Ubuntu-based, Debian-based, RHEL, AlmaLinux).

Block npm/npx/yarn in Claude Code with a skill + PreToolUse hook. Use pnpm instead. Defense against Shai-Hulud-style npm supply-chain attacks.

Package Firewall — self-hosted supply chain security for macOS. Intercepts npm/pip/cargo/yarn in ALL shells including AI agents. 4 vuln sources (OSV + GHSA + deps.dev + CISA KEV). Zero telemetry.

Multi-gate open source supply chain trust validation pipeline with zero-day CVE expedited lane

A drop-in npm/pip that never runs install scripts. Deny-by-default supply-chain security for npm & PyPI.

Security wrapper for package managers using a local MITM proxy and the OSSF malicious-packages DB to block malware before install.

Detect dependency confusion attack vectors in Node.js projects

Long-Term Support (LTS) security fork of urllib3 with backported CVE fixes for Python 3.7 and 3.8.

Open-source CVE lookup tool for software packages. Check vulnerabilities, CVSS scores, version age, and latest releases across 8 ecosystems using OSV.dev.

malFuse is a local HTTP proxy firewall that prevents software supply chain poisoning by intercepting package install requests and blocking malicious packages before they reach your disk. Built in Go with zero runtime dependencies.

Vet the packages & repos your AI assistant recommended — before you install. Catches hallucinated/slopsquatted names, CVEs, malware, license traps & fake stars across 8 ecosystems. No API key.

Self-hosted dependency release surveillance and malicious package tripwire