Pricing

Pay per event

NPM Vulnerability Checker

Check npm packages for known vulnerabilities via OSV.dev API. Input package names with optional versions — get CVE IDs, severity (CRITICAL/HIGH/MEDIUM/LOW), affected ranges, and fix versions. No proxy needed.

Pricing

Pay per event

Rating

0.0

(0)

Developer

Stas Persiianenko

Actor stats

Bookmarked

Total users

Monthly active users

8 days ago

Last modified

What does NPM Vulnerability Checker do?

NPM Vulnerability Checker scans npm packages for known security vulnerabilities using the OSV.dev public database — the same data source used by GitHub Dependabot and Google's Open Source Insights. No API key, no login, no proxy required.

Give it a list of package names (optionally with versions like lodash@4.17.20), and it returns every known CVE, severity rating, affected version ranges, and fix versions for each package. Pure HTTP API — runs in seconds.

Who is NPM Vulnerability Checker for?

DevOps and Security Engineers who need to audit their dependencies before shipping:

Scan package.json dependencies for CVEs in CI/CD pipelines
Get structured JSON output for security dashboards and SIEM tools
Check specific pinned versions before promoting to production

Development Teams doing dependency upgrades:

Identify which packages have known vulnerabilities at current pinned versions
See exact fix versions so you know what to upgrade to
Prioritize upgrades by severity (CRITICAL/HIGH first)

Security Auditors and Compliance Teams:

Bulk-check third-party vendor dependencies for known CVEs
Generate vulnerability reports for SOC 2, ISO 27001, or client audits
Track open source risk across multiple projects

Freelancers and Consultants reviewing inherited codebases:

Quickly triage a new project's dependency health
Produce a vulnerability summary to share with clients
No setup — just paste the package list and run

Why use NPM Vulnerability Checker?

✅ No API key required — OSV.dev is a free public database
✅ No proxy needed — pure HTTP API, works from any environment
✅ CVE IDs included — every vulnerability links to official CVE identifiers
✅ Fix versions in output — know exactly what version to upgrade to
✅ CRITICAL/HIGH/MEDIUM/LOW severity — filter by severity level
✅ Works with or without versions — check a package name alone to see all known vulnerabilities
✅ Scoped packages supported — @types/node, @babel/core, etc.
✅ Apify platform — schedule daily runs, export to CSV/JSON/Excel, integrate via API
✅ Fast — checks hundreds of packages in under a minute via parallel-friendly API calls

What data can you extract?

Field	Description
`packageName`	npm package name
`version`	Version checked (or null if not specified)
`vulnerabilityCount`	Total number of vulnerabilities found
`highestSeverity`	Worst severity: CRITICAL / HIGH / MEDIUM / LOW
`criticalCount`	Number of CRITICAL vulnerabilities
`highCount`	Number of HIGH vulnerabilities
`mediumCount`	Number of MEDIUM vulnerabilities
`lowCount`	Number of LOW vulnerabilities
`hasVulnerabilities`	Boolean — true if any vulnerabilities found
`vulnerabilities[].id`	OSV vulnerability ID (e.g., GHSA-29mw-wpgm-hmr9)
`vulnerabilities[].cveIds`	List of CVE IDs (e.g., `["CVE-2020-28500"]`)
`vulnerabilities[].summary`	Short description of the vulnerability
`vulnerabilities[].severity`	Severity level: CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN
`vulnerabilities[].cvssScore`	CVSS numeric score if available
`vulnerabilities[].affectedVersionRanges`	Version ranges where the vulnerability exists
`vulnerabilities[].fixedInVersions`	Versions that contain the fix
`vulnerabilities[].references`	Links to advisories and CVE pages
`vulnerabilities[].publishedAt`	Date the vulnerability was published
`vulnerabilities[].detailUrl`	OSV.dev detail page URL
`error`	Error message if the package check failed

How much does it cost to check npm packages for vulnerabilities?

NPM Vulnerability Checker uses pay-per-event pricing — you only pay for what you use.

Tier	Start fee	Per package
Free ($5 credit)	$0.005	$0.00115
Starter ($29/mo)	$0.005	$0.001
Scale ($199/mo)	$0.005	$0.00078
Business ($999/mo)	$0.005	$0.0006

Real-world cost examples:

Check 10 packages → ~$0.015 (practically free)
Check 100 packages → ~$0.105 on Starter plan
Check 1,000 packages → ~$1.005 on Starter plan
Daily scan of 50 packages (365 days) → ~$18.98/year on Starter plan

Free plan users get $5 in credits, enough to check ~4,300 packages before paying anything.

How to check npm packages for vulnerabilities

Go to NPM Vulnerability Checker on Apify Store
Click Try for free
In the Packages to Check field, enter your package names (one per line)
- With version: lodash@4.17.20
- Without version: lodash (returns all known vulnerabilities)
- Scoped packages: @babel/core@7.20.0
Optionally uncheck Include LOW severity to focus on HIGH and CRITICAL issues
Click Start and wait a few seconds
Review results in the Dataset tab — filter by hasVulnerabilities: true for vulnerable packages
Export as JSON, CSV, or Excel for your reports

Input JSON example — checking a typical production app:

{
  "packages": [
    "express@4.17.1",
    "lodash@4.17.20",
    "axios@0.21.1",
    "webpack@5.75.0",
    "log4js@6.3.0"
  ],
  "includeLow": false,
  "includeDetails": true
}

Input JSON example — quick summary scan (no details):

{
  "packages": ["react@18.2.0", "next@13.0.0", "typescript@5.0.0"],
  "includeLow": true,
  "includeDetails": false
}

Input parameters

Parameter	Type	Default	Description
`packages`	array	required	List of npm package names to check. Format: `package-name` or `package-name@version`
`includeLow`	boolean	`true`	Include LOW severity vulnerabilities. Set `false` to show only MEDIUM, HIGH, and CRITICAL
`includeDetails`	boolean	`true`	Include full vulnerability details (version ranges, fix versions, references). Set `false` for summary-only output
`maxVulnsPerPackage`	integer	`0`	Maximum vulnerabilities to return per package. `0` = no limit

Output examples

Vulnerable package with CVE details:

{
  "packageName": "lodash",
  "version": "4.17.20",
  "vulnerabilityCount": 5,
  "highestSeverity": "HIGH",
  "criticalCount": 0,
  "highCount": 2,
  "mediumCount": 3,
  "lowCount": 0,
  "unknownCount": 0,
  "hasVulnerabilities": true,
  "vulnerabilities": [
    {
      "id": "GHSA-29mw-wpgm-hmr9",
      "aliases": ["CVE-2020-28500"],
      "summary": "Regular Expression Denial of Service (ReDoS) in lodash",
      "severity": "MEDIUM",
      "cvssScore": null,
      "cveIds": ["CVE-2020-28500"],
      "affectedVersionRanges": [
        { "introduced": "0", "fixed": "4.17.21" }
      ],
      "fixedInVersions": ["4.17.21"],
      "references": [
        "https://nvd.nist.gov/vuln/detail/CVE-2020-28500",
        "https://github.com/lodash/lodash/pull/5065"
      ],
      "publishedAt": "2021-02-15T00:00:00Z",
      "detailUrl": "https://osv.dev/vulnerability/GHSA-29mw-wpgm-hmr9"
    }
  ],
  "error": null
}

Clean package:

{
  "packageName": "react",
  "version": "18.2.0",
  "vulnerabilityCount": 0,
  "highestSeverity": null,
  "criticalCount": 0,
  "highCount": 0,
  "mediumCount": 0,
  "lowCount": 0,
  "unknownCount": 0,
  "hasVulnerabilities": false,
  "vulnerabilities": [],
  "error": null
}

Tips for best results

🎯 Check specific versions for accurate results — without a version, you get all vulnerabilities ever reported for the package (useful for auditing, not for checking a specific install)
🔍 Start with HIGH and CRITICAL — set includeLow: false to focus on urgent fixes first
📋 Export your package.json — copy all dependency names and versions from your lock file for a complete audit
⏱️ Schedule daily runs via Apify's scheduling feature to catch new CVEs as they're published to OSV.dev
📊 Use includeDetails: false for a quick dashboard view when you just want the count and severity per package
🔔 Set up webhooks to get notified when a scan finds new vulnerabilities above a threshold
🔗 Connect to Slack — pipe results through Make or Zapier to alert your team on CRITICAL findings

Integrations

NPM Vulnerability Checker → Google Sheets (weekly security report): Schedule a weekly run checking all your pinned dependencies. Connect Apify's Google Sheets integration to auto-populate a vulnerability tracking spreadsheet that your security team reviews every Monday.

NPM Vulnerability Checker → Slack (CRITICAL alert on merge): Trigger a run via API when a PR is merged to main. If any criticalCount > 0 in the results, send a Slack message to #security-alerts with the CVE details. Webhook or Make handles the routing.

NPM Vulnerability Checker → Jira (auto-create tickets): Use the Apify → Zapier → Jira integration to automatically create security tickets for any package where highestSeverity === 'CRITICAL' || highestSeverity === 'HIGH'. Include fixedInVersions in the ticket body so developers know the fix.

NPM Vulnerability Checker → CI/CD pipeline (blocking gate): Call the actor via API from your CI pipeline (GitHub Actions, GitLab CI) after npm install. If any package returns criticalCount > 0, fail the build. Use the start_synchronously=true API flag to wait for completion inline.

Scheduled monitoring (new CVE detection): Schedule daily scans of your pinned dependencies. Compare results over time using Apify datasets — when vulnerabilityCount increases for a package, a new CVE was published. Pipe the diff to your incident management system.

Using the Apify API

Node.js:

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_APIFY_TOKEN' });

const run = await client.actor('automation-lab/npm-vulnerability-checker').call({
  packages: ['express@4.17.1', 'lodash@4.17.20', 'axios@0.21.1'],
  includeLow: false,
  includeDetails: true,
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
const vulnerable = items.filter(pkg => pkg.hasVulnerabilities);
console.log(`Vulnerable packages: ${vulnerable.length}/${items.length}`);

Python:

from apify_client import ApifyClient

client = ApifyClient('YOUR_APIFY_TOKEN')

run = client.actor('automation-lab/npm-vulnerability-checker').call(run_input={
    'packages': ['express@4.17.1', 'lodash@4.17.20', 'axios@0.21.1'],
    'includeLow': False,
    'includeDetails': True,
})

items = client.dataset(run['defaultDatasetId']).list_items().items
vulnerable = [pkg for pkg in items if pkg['hasVulnerabilities']]
print(f'Vulnerable: {len(vulnerable)}/{len(items)}')
for pkg in vulnerable:
    print(f"  {pkg['packageName']}@{pkg['version']}: {pkg['highestSeverity']} ({pkg['vulnerabilityCount']} vulns)")

cURL:

curl -s -X POST \
  "https://api.apify.com/v2/acts/automation-lab~npm-vulnerability-checker/run-sync-get-dataset-items?token=YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "packages": ["express@4.17.1", "lodash@4.17.20"],
    "includeLow": false
  }'

Use with AI agents via MCP

NPM Vulnerability Checker is available as a tool for AI assistants that support the Model Context Protocol (MCP).

Add the Apify MCP server to your AI client — this gives you access to all Apify actors, including this one:

Setup for Claude Code

$claude mcp add --transport http apify "https://mcp.apify.com"

Setup for Claude Desktop, Cursor, or VS Code

Add this to your MCP config file:

{
    "mcpServers": {
        "apify": {
            "url": "https://mcp.apify.com"
        }
    }
}

Your AI assistant will use OAuth to authenticate with your Apify account on first use.

Example prompts

Once connected, try asking your AI assistant:

"Use automation-lab/npm-vulnerability-checker to check express@4.17.1, lodash@4.17.20, and axios@0.21.1 for vulnerabilities and show me only HIGH and CRITICAL issues"
"Scan these packages for CVEs and tell me which ones have a fix available: webpack@5.75.0, semver@6.3.0, minimist@1.2.5"
"Check my dependencies for security issues and give me a summary of the worst findings sorted by severity"

Learn more in the Apify MCP documentation.

Is it legal to use NPM Vulnerability Checker?

Yes. This actor only queries the OSV.dev public API, which is explicitly designed for programmatic access. OSV.dev is an open source vulnerability database maintained by Google and the open source security community. There is no scraping of third-party websites, no authentication bypass, and no terms of service violations.

The OSV.dev API has no usage fees or rate limiting for reasonable use. All vulnerability data is publicly available and licensed for redistribution.

As always, use the data responsibly. Vulnerability information is for defensive security purposes — to help you fix your own software — not for offensive use.

FAQ

How accurate is the vulnerability data? The data comes directly from OSV.dev, which aggregates from GitHub Security Advisories (GHSA), the National Vulnerability Database (NVD), and other authoritative sources. It's the same data used by GitHub Dependabot. For any given CVE, accuracy is dependent on the upstream source reporting it correctly.

How much does it cost to scan 100 packages? On the Starter plan ($29/month): $0.005 (start) + 100 × $0.001 = $0.105. On the free plan you get $5 in credits, which covers ~4,300 packages.

Does it work without specifying a version? Yes — if you omit the version (e.g., lodash instead of lodash@4.17.20), the actor returns all vulnerabilities ever associated with that package. This is useful for getting a complete picture but less actionable than version-specific results.

Why does a package show UNKNOWN severity? Not all OSV entries have CVSS scores. UNKNOWN means the advisory exists but no severity rating was published in the database. You should still investigate UNKNOWN entries — check the detailUrl for the full advisory.

Why are results empty for a package I know is vulnerable? OSV.dev may not have indexed all vulnerabilities for every package. It's primarily focused on GHSA and NVD. For maximum coverage, also check Snyk Vulnerability DB and npm audit directly. If you're checking a very new CVE published in the last 24 hours, it may not yet be in OSV.

Can I check a whole package.json at once? Not directly — you need to extract the package names and versions from your package.json or package-lock.json first. The easiest way: node -e "const p=require('./package.json'); console.log(JSON.stringify(Object.entries(p.dependencies).map(([k,v])=>k+'@'+v.replace(/[^0-9.]/g,''))))" to get a list suitable for the packages input.

How is this different from npm audit? npm audit analyzes your entire dependency tree (including transitive deps) and is tightly integrated with npm's own advisory database. This actor uses OSV.dev which aggregates from multiple sources and returns more structured data — better for programmatic use, CI gates, and bulk batch analysis outside of a Node.js environment.

Other security and utility tools

SSL Certificate Checker — check SSL/TLS certificate validity, expiry, and chain issues
DNS Record Checker — query A, AAAA, MX, CNAME, TXT, NS records for any domain
DMARC Record Checker — validate DMARC email authentication policies
Broken Link Checker — crawl websites and find all broken links (404s)
CNAME Record Checker — bulk CNAME record lookup and validation
Canonical URL Checker — verify canonical tags and redirect chains
Ads.txt Checker — validate ads.txt files for programmatic advertising compliance

npm Scraper

automation-lab/npm-scraper

Scrape npm packages — names, versions, downloads, dependencies, and metadata. Search the npm registry for package data.

Stas Persiianenko

npm Package Scraper

plantane/npm-scraper

Scrape npm package data — search packages or get detailed info including versions, maintainers, and download stats.

Daniel

npm Package Registry Scraper

cloud9_ai/npm-package-scraper

Search and extract JavaScript package data from npm. Get download stats, dependencies, versions, and maintainers for 3M+ packages.

cloud9

npm Package Dependency Intelligence

taroyamada/npm-package-dependency-intelligence

Analyze npm package metadata, versions, dependencies, maintainer hints, release cadence, and package risk signals using the official npm registry API.

太郎山田

Npm Package Intelligence

viralanalyzer/npm-package-intelligence

Extract NPM package data: downloads, dependencies, versions, maintainers, and README. Track JavaScript ecosystem trends.

viralanalyzer

5.0

NPM Package Scraper & Dependency Analyzer

andok/npm-metadata-extractor

Fetch full NPM package metadata, versions, and dependencies in bulk. Build developer intelligence dashboards without rate limits.

Andok

NPM Packages Scraper

gio21/npm-packages-scraper

Search and scrape NPM packages by keyword. Extract name, version, description, downloads, dependencies, license, repository, and quality scores. Uses the public NPM registry API. Pay per result.

Gio

NPM Scraper

muscular_quadruplet/npm-scraper

Scrape NPM package data. Get downloads, versions, dependencies, maintainers. Analyze JavaScript ecosystem trends, track package popularity, monitor dependencies. Build developer tools.

Do It

NPM Package Scraper - Search, Stats & Downloads

wetyr_corporation/npm-package-scraper

Bulk extract NPM packages with metadata, weekly downloads, dependencies, maintainers. Built for dev tool research, supply chain analysis, competitive ecosystem intel.

WETYR CORPORATION

npm Package Scraper - Registry Data & Downloads API

benthepythondev/npm-package-scraper

Extract npm package data with download stats, dependencies, maintainers, and quality scores. Search by keyword, author, or get popular packages. Perfect for JavaScript ecosystem research, competitor tracking, and dependency analysis. Fast API-based extraction, pay-per-result.