# NPM Vulnerability Checker (`automation-lab/npm-vulnerability-checker`) Actor
Check npm packages for known vulnerabilities via OSV.dev API. Input package names with optional versions — get CVE IDs, severity (CRITICAL/HIGH/MEDIUM/LOW), affected ranges, and fix versions. No proxy needed.
- **URL**: https://apify.com/automation-lab/npm-vulnerability-checker.md
- **Developed by:** [Stas Persiianenko](https://apify.com/automation-lab) (community)
- **Categories:** Developer tools, Other
- **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks
- **User rating**: No ratings yet
## Pricing
Pay per event
This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events.
Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have.
Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event
## What's an Apify Actor?
Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".
## How to integrate an Actor?
If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.
In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):
```bash
npm install apify-client
```
In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):
```bash
pip install apify-client
```
In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):
````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash
In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).
If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).
For usage examples, see the [API](#api) section below.
For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).
# README
### What does NPM Vulnerability Checker do?
**NPM Vulnerability Checker** scans npm packages for known security vulnerabilities using the [OSV.dev](https://osv.dev) public database — the same data source used by GitHub Dependabot and Google's Open Source Insights. No API key, no login, no proxy required.
Give it a list of package names (optionally with versions like `lodash@4.17.20`), and it returns every known CVE, severity rating, affected version ranges, and fix versions for each package. Pure HTTP API — runs in seconds.
### Who is NPM Vulnerability Checker for?
**DevOps and Security Engineers** who need to audit their dependencies before shipping:
- Scan `package.json` dependencies for CVEs in CI/CD pipelines
- Get structured JSON output for security dashboards and SIEM tools
- Check specific pinned versions before promoting to production
**Development Teams doing dependency upgrades:**
- Identify which packages have known vulnerabilities at current pinned versions
- See exact fix versions so you know what to upgrade to
- Prioritize upgrades by severity (CRITICAL/HIGH first)
**Security Auditors and Compliance Teams:**
- Bulk-check third-party vendor dependencies for known CVEs
- Generate vulnerability reports for SOC 2, ISO 27001, or client audits
- Track open source risk across multiple projects
**Freelancers and Consultants reviewing inherited codebases:**
- Quickly triage a new project's dependency health
- Produce a vulnerability summary to share with clients
- No setup — just paste the package list and run
### Why use NPM Vulnerability Checker?
- ✅ **No API key required** — OSV.dev is a free public database
- ✅ **No proxy needed** — pure HTTP API, works from any environment
- ✅ **CVE IDs included** — every vulnerability links to official CVE identifiers
- ✅ **Fix versions in output** — know exactly what version to upgrade to
- ✅ **CRITICAL/HIGH/MEDIUM/LOW severity** — filter by severity level
- ✅ **Works with or without versions** — check a package name alone to see all known vulnerabilities
- ✅ **Scoped packages supported** — `@types/node`, `@babel/core`, etc.
- ✅ **Apify platform** — schedule daily runs, export to CSV/JSON/Excel, integrate via API
- ✅ **Fast** — checks hundreds of packages in under a minute via parallel-friendly API calls
### What data can you extract?
| Field | Description |
|-------|-------------|
| `packageName` | npm package name |
| `version` | Version checked (or null if not specified) |
| `vulnerabilityCount` | Total number of vulnerabilities found |
| `highestSeverity` | Worst severity: CRITICAL / HIGH / MEDIUM / LOW |
| `criticalCount` | Number of CRITICAL vulnerabilities |
| `highCount` | Number of HIGH vulnerabilities |
| `mediumCount` | Number of MEDIUM vulnerabilities |
| `lowCount` | Number of LOW vulnerabilities |
| `hasVulnerabilities` | Boolean — true if any vulnerabilities found |
| `vulnerabilities[].id` | OSV vulnerability ID (e.g., GHSA-29mw-wpgm-hmr9) |
| `vulnerabilities[].cveIds` | List of CVE IDs (e.g., `["CVE-2020-28500"]`) |
| `vulnerabilities[].summary` | Short description of the vulnerability |
| `vulnerabilities[].severity` | Severity level: CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN |
| `vulnerabilities[].cvssScore` | CVSS numeric score if available |
| `vulnerabilities[].affectedVersionRanges` | Version ranges where the vulnerability exists |
| `vulnerabilities[].fixedInVersions` | Versions that contain the fix |
| `vulnerabilities[].references` | Links to advisories and CVE pages |
| `vulnerabilities[].publishedAt` | Date the vulnerability was published |
| `vulnerabilities[].detailUrl` | OSV.dev detail page URL |
| `error` | Error message if the package check failed |
### How much does it cost to check npm packages for vulnerabilities?
NPM Vulnerability Checker uses **pay-per-event pricing** — you only pay for what you use.
| Tier | Start fee | Per package |
|------|-----------|-------------|
| Free ($5 credit) | $0.005 | $0.00115 |
| Starter ($29/mo) | $0.005 | $0.001 |
| Scale ($199/mo) | $0.005 | $0.00078 |
| Business ($999/mo) | $0.005 | $0.0006 |
**Real-world cost examples:**
- Check 10 packages → ~$0.015 (practically free)
- Check 100 packages → ~$0.105 on Starter plan
- Check 1,000 packages → ~$1.005 on Starter plan
- Daily scan of 50 packages (365 days) → ~$18.98/year on Starter plan
**Free plan users** get $5 in credits, enough to check ~4,300 packages before paying anything.
### How to check npm packages for vulnerabilities
1. Go to [NPM Vulnerability Checker on Apify Store](https://apify.com/automation-lab/npm-vulnerability-checker)
2. Click **Try for free**
3. In the **Packages to Check** field, enter your package names (one per line)
- With version: `lodash@4.17.20`
- Without version: `lodash` (returns all known vulnerabilities)
- Scoped packages: `@babel/core@7.20.0`
4. Optionally uncheck **Include LOW severity** to focus on HIGH and CRITICAL issues
5. Click **Start** and wait a few seconds
6. Review results in the **Dataset** tab — filter by `hasVulnerabilities: true` for vulnerable packages
7. Export as **JSON**, **CSV**, or **Excel** for your reports
**Input JSON example — checking a typical production app:**
```json
{
"packages": [
"express@4.17.1",
"lodash@4.17.20",
"axios@0.21.1",
"webpack@5.75.0",
"log4js@6.3.0"
],
"includeLow": false,
"includeDetails": true
}
````
**Input JSON example — quick summary scan (no details):**
```json
{
"packages": ["react@18.2.0", "next@13.0.0", "typescript@5.0.0"],
"includeLow": true,
"includeDetails": false
}
```
### Input parameters
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `packages` | array | required | List of npm package names to check. Format: `package-name` or `package-name@version` |
| `includeLow` | boolean | `true` | Include LOW severity vulnerabilities. Set `false` to show only MEDIUM, HIGH, and CRITICAL |
| `includeDetails` | boolean | `true` | Include full vulnerability details (version ranges, fix versions, references). Set `false` for summary-only output |
| `maxVulnsPerPackage` | integer | `0` | Maximum vulnerabilities to return per package. `0` = no limit |
### Output examples
**Vulnerable package with CVE details:**
```json
{
"packageName": "lodash",
"version": "4.17.20",
"vulnerabilityCount": 5,
"highestSeverity": "HIGH",
"criticalCount": 0,
"highCount": 2,
"mediumCount": 3,
"lowCount": 0,
"unknownCount": 0,
"hasVulnerabilities": true,
"vulnerabilities": [
{
"id": "GHSA-29mw-wpgm-hmr9",
"aliases": ["CVE-2020-28500"],
"summary": "Regular Expression Denial of Service (ReDoS) in lodash",
"severity": "MEDIUM",
"cvssScore": null,
"cveIds": ["CVE-2020-28500"],
"affectedVersionRanges": [
{ "introduced": "0", "fixed": "4.17.21" }
],
"fixedInVersions": ["4.17.21"],
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-28500",
"https://github.com/lodash/lodash/pull/5065"
],
"publishedAt": "2021-02-15T00:00:00Z",
"detailUrl": "https://osv.dev/vulnerability/GHSA-29mw-wpgm-hmr9"
}
],
"error": null
}
```
**Clean package:**
```json
{
"packageName": "react",
"version": "18.2.0",
"vulnerabilityCount": 0,
"highestSeverity": null,
"criticalCount": 0,
"highCount": 0,
"mediumCount": 0,
"lowCount": 0,
"unknownCount": 0,
"hasVulnerabilities": false,
"vulnerabilities": [],
"error": null
}
```
### Tips for best results
- 🎯 **Check specific versions** for accurate results — without a version, you get all vulnerabilities ever reported for the package (useful for auditing, not for checking a specific install)
- 🔍 **Start with HIGH and CRITICAL** — set `includeLow: false` to focus on urgent fixes first
- 📋 **Export your `package.json`** — copy all dependency names and versions from your lock file for a complete audit
- ⏱️ **Schedule daily runs** via Apify's scheduling feature to catch new CVEs as they're published to OSV.dev
- 📊 **Use `includeDetails: false`** for a quick dashboard view when you just want the count and severity per package
- 🔔 **Set up webhooks** to get notified when a scan finds new vulnerabilities above a threshold
- 🔗 **Connect to Slack** — pipe results through Make or Zapier to alert your team on CRITICAL findings
### Integrations
**NPM Vulnerability Checker → Google Sheets (weekly security report):**
Schedule a weekly run checking all your pinned dependencies. Connect Apify's Google Sheets integration to auto-populate a vulnerability tracking spreadsheet that your security team reviews every Monday.
**NPM Vulnerability Checker → Slack (CRITICAL alert on merge):**
Trigger a run via API when a PR is merged to main. If any `criticalCount > 0` in the results, send a Slack message to `#security-alerts` with the CVE details. Webhook or Make handles the routing.
**NPM Vulnerability Checker → Jira (auto-create tickets):**
Use the Apify → Zapier → Jira integration to automatically create security tickets for any package where `highestSeverity === 'CRITICAL' || highestSeverity === 'HIGH'`. Include `fixedInVersions` in the ticket body so developers know the fix.
**NPM Vulnerability Checker → CI/CD pipeline (blocking gate):**
Call the actor via API from your CI pipeline (GitHub Actions, GitLab CI) after `npm install`. If any package returns `criticalCount > 0`, fail the build. Use the `start_synchronously=true` API flag to wait for completion inline.
**Scheduled monitoring (new CVE detection):**
Schedule daily scans of your pinned dependencies. Compare results over time using Apify datasets — when `vulnerabilityCount` increases for a package, a new CVE was published. Pipe the diff to your incident management system.
### Using the Apify API
**Node.js:**
```javascript
import { ApifyClient } from 'apify-client';
const client = new ApifyClient({ token: 'YOUR_APIFY_TOKEN' });
const run = await client.actor('automation-lab/npm-vulnerability-checker').call({
packages: ['express@4.17.1', 'lodash@4.17.20', 'axios@0.21.1'],
includeLow: false,
includeDetails: true,
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
const vulnerable = items.filter(pkg => pkg.hasVulnerabilities);
console.log(`Vulnerable packages: ${vulnerable.length}/${items.length}`);
```
**Python:**
```python
from apify_client import ApifyClient
client = ApifyClient('YOUR_APIFY_TOKEN')
run = client.actor('automation-lab/npm-vulnerability-checker').call(run_input={
'packages': ['express@4.17.1', 'lodash@4.17.20', 'axios@0.21.1'],
'includeLow': False,
'includeDetails': True,
})
items = client.dataset(run['defaultDatasetId']).list_items().items
vulnerable = [pkg for pkg in items if pkg['hasVulnerabilities']]
print(f'Vulnerable: {len(vulnerable)}/{len(items)}')
for pkg in vulnerable:
print(f" {pkg['packageName']}@{pkg['version']}: {pkg['highestSeverity']} ({pkg['vulnerabilityCount']} vulns)")
```
**cURL:**
```bash
curl -s -X POST \
"https://api.apify.com/v2/acts/automation-lab~npm-vulnerability-checker/run-sync-get-dataset-items?token=YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"packages": ["express@4.17.1", "lodash@4.17.20"],
"includeLow": false
}'
```
### Use with AI agents via MCP
NPM Vulnerability Checker is available as a tool for AI assistants that support the [Model Context Protocol (MCP)](https://docs.apify.com/platform/integrations/mcp).
Add the Apify MCP server to your AI client — this gives you access to all Apify actors, including this one:
#### Setup for Claude Code
```bash
claude mcp add --transport http apify "https://mcp.apify.com"
```
#### Setup for Claude Desktop, Cursor, or VS Code
Add this to your MCP config file:
```json
{
"mcpServers": {
"apify": {
"url": "https://mcp.apify.com"
}
}
}
```
Your AI assistant will use OAuth to authenticate with your Apify account on first use.
#### Example prompts
Once connected, try asking your AI assistant:
- "Use automation-lab/npm-vulnerability-checker to check express@4.17.1, lodash@4.17.20, and axios@0.21.1 for vulnerabilities and show me only HIGH and CRITICAL issues"
- "Scan these packages for CVEs and tell me which ones have a fix available: webpack@5.75.0, semver@6.3.0, minimist@1.2.5"
- "Check my dependencies for security issues and give me a summary of the worst findings sorted by severity"
Learn more in the [Apify MCP documentation](https://docs.apify.com/platform/integrations/mcp).
### Is it legal to use NPM Vulnerability Checker?
Yes. This actor only queries the [OSV.dev](https://osv.dev) public API, which is explicitly designed for programmatic access. OSV.dev is an open source vulnerability database maintained by Google and the open source security community. There is no scraping of third-party websites, no authentication bypass, and no terms of service violations.
The OSV.dev API has no usage fees or rate limiting for reasonable use. All vulnerability data is publicly available and licensed for redistribution.
As always, use the data responsibly. Vulnerability information is for defensive security purposes — to help you fix your own software — not for offensive use.
### FAQ
**How accurate is the vulnerability data?**
The data comes directly from OSV.dev, which aggregates from GitHub Security Advisories (GHSA), the National Vulnerability Database (NVD), and other authoritative sources. It's the same data used by GitHub Dependabot. For any given CVE, accuracy is dependent on the upstream source reporting it correctly.
**How much does it cost to scan 100 packages?**
On the Starter plan ($29/month): $0.005 (start) + 100 × $0.001 = **$0.105**. On the free plan you get $5 in credits, which covers ~4,300 packages.
**Does it work without specifying a version?**
Yes — if you omit the version (e.g., `lodash` instead of `lodash@4.17.20`), the actor returns all vulnerabilities ever associated with that package. This is useful for getting a complete picture but less actionable than version-specific results.
**Why does a package show UNKNOWN severity?**
Not all OSV entries have CVSS scores. UNKNOWN means the advisory exists but no severity rating was published in the database. You should still investigate UNKNOWN entries — check the `detailUrl` for the full advisory.
**Why are results empty for a package I know is vulnerable?**
OSV.dev may not have indexed all vulnerabilities for every package. It's primarily focused on GHSA and NVD. For maximum coverage, also check [Snyk Vulnerability DB](https://snyk.io/vuln) and [npm audit](https://docs.npmjs.com/cli/v10/commands/npm-audit) directly. If you're checking a very new CVE published in the last 24 hours, it may not yet be in OSV.
**Can I check a whole `package.json` at once?**
Not directly — you need to extract the package names and versions from your `package.json` or `package-lock.json` first. The easiest way: `node -e "const p=require('./package.json'); console.log(JSON.stringify(Object.entries(p.dependencies).map(([k,v])=>k+'@'+v.replace(/[^0-9.]/g,''))))"` to get a list suitable for the `packages` input.
**How is this different from `npm audit`?**
`npm audit` analyzes your entire dependency tree (including transitive deps) and is tightly integrated with npm's own advisory database. This actor uses OSV.dev which aggregates from multiple sources and returns more structured data — better for programmatic use, CI gates, and bulk batch analysis outside of a Node.js environment.
### Other security and utility tools
- [SSL Certificate Checker](https://apify.com/automation-lab/ssl-certificate-checker) — check SSL/TLS certificate validity, expiry, and chain issues
- [DNS Record Checker](https://apify.com/automation-lab/dns-record-checker) — query A, AAAA, MX, CNAME, TXT, NS records for any domain
- [DMARC Record Checker](https://apify.com/automation-lab/dmarc-record-checker) — validate DMARC email authentication policies
- [Broken Link Checker](https://apify.com/automation-lab/broken-link-checker) — crawl websites and find all broken links (404s)
- [CNAME Record Checker](https://apify.com/automation-lab/cname-record-checker) — bulk CNAME record lookup and validation
- [Canonical URL Checker](https://apify.com/automation-lab/canonical-url-checker) — verify canonical tags and redirect chains
- [Ads.txt Checker](https://apify.com/automation-lab/ads-txt-checker) — validate ads.txt files for programmatic advertising compliance
# Actor input Schema
## `packages` (type: `array`):
List of npm package names to check. Optionally include a version (e.g. lodash@4.17.20). Without a version, all known vulnerabilities for the package are returned.
## `includeLow` (type: `boolean`):
Include LOW severity vulnerabilities in output. Uncheck to show only MEDIUM, HIGH, and CRITICAL.
## `includeDetails` (type: `boolean`):
Include affected version ranges and fix versions for each vulnerability. Disable to get a summary-only output.
## `maxVulnsPerPackage` (type: `integer`):
Limit the number of vulnerabilities returned per package. 0 = no limit.
## Actor input object example
```json
{
"packages": [
"lodash@4.17.20",
"axios@0.21.1",
"express@4.17.1",
"log4js@6.3.0"
],
"includeLow": true,
"includeDetails": true,
"maxVulnsPerPackage": 0
}
```
# Actor output Schema
## `overview` (type: `string`):
No description
# API
You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.
## JavaScript example
```javascript
import { ApifyClient } from 'apify-client';
// Initialize the ApifyClient with your Apify API token
// Replace the '' with your token
const client = new ApifyClient({
token: '',
});
// Prepare Actor input
const input = {
"packages": [
"lodash@4.17.20",
"axios@0.21.1",
"express@4.17.1",
"log4js@6.3.0"
]
};
// Run the Actor and wait for it to finish
const run = await client.actor("automation-lab/npm-vulnerability-checker").call(input);
// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
console.dir(item);
});
// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs
```
## Python example
```python
from apify_client import ApifyClient
# Initialize the ApifyClient with your Apify API token
# Replace '' with your token.
client = ApifyClient("")
# Prepare the Actor input
run_input = { "packages": [
"lodash@4.17.20",
"axios@0.21.1",
"express@4.17.1",
"log4js@6.3.0",
] }
# Run the Actor and wait for it to finish
run = client.actor("automation-lab/npm-vulnerability-checker").call(run_input=run_input)
# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
print(item)
# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start
```
## CLI example
```bash
echo '{
"packages": [
"lodash@4.17.20",
"axios@0.21.1",
"express@4.17.1",
"log4js@6.3.0"
]
}' |
apify call automation-lab/npm-vulnerability-checker --silent --output-dataset
```
## MCP server setup
```json
{
"mcpServers": {
"apify": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp.apify.com/?tools=automation-lab/npm-vulnerability-checker",
"--header",
"Authorization: Bearer "
]
}
}
}
```
## OpenAPI specification
```json
{
"openapi": "3.0.1",
"info": {
"title": "NPM Vulnerability Checker",
"description": "Check npm packages for known vulnerabilities via OSV.dev API. Input package names with optional versions — get CVE IDs, severity (CRITICAL/HIGH/MEDIUM/LOW), affected ranges, and fix versions. No proxy needed.",
"version": "0.1",
"x-build-id": "nGuFYK4agwP8wQGhy"
},
"servers": [
{
"url": "https://api.apify.com/v2"
}
],
"paths": {
"/acts/automation-lab~npm-vulnerability-checker/run-sync-get-dataset-items": {
"post": {
"operationId": "run-sync-get-dataset-items-automation-lab-npm-vulnerability-checker",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
},
"/acts/automation-lab~npm-vulnerability-checker/runs": {
"post": {
"operationId": "runs-sync-automation-lab-npm-vulnerability-checker",
"x-openai-isConsequential": false,
"summary": "Executes an Actor and returns information about the initiated run in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/runsResponseSchema"
}
}
}
}
}
}
},
"/acts/automation-lab~npm-vulnerability-checker/run-sync": {
"post": {
"operationId": "run-sync-automation-lab-npm-vulnerability-checker",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
}
},
"components": {
"schemas": {
"inputSchema": {
"type": "object",
"required": [
"packages"
],
"properties": {
"packages": {
"title": "📦 npm packages",
"type": "array",
"description": "List of npm package names to check. Optionally include a version (e.g. lodash@4.17.20). Without a version, all known vulnerabilities for the package are returned.",
"items": {
"type": "string"
}
},
"includeLow": {
"title": "Include LOW severity",
"type": "boolean",
"description": "Include LOW severity vulnerabilities in output. Uncheck to show only MEDIUM, HIGH, and CRITICAL.",
"default": true
},
"includeDetails": {
"title": "Include full vulnerability details",
"type": "boolean",
"description": "Include affected version ranges and fix versions for each vulnerability. Disable to get a summary-only output.",
"default": true
},
"maxVulnsPerPackage": {
"title": "Max vulnerabilities per package",
"minimum": 0,
"type": "integer",
"description": "Limit the number of vulnerabilities returned per package. 0 = no limit.",
"default": 0
}
}
},
"runsResponseSchema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"actId": {
"type": "string"
},
"userId": {
"type": "string"
},
"startedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"finishedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"status": {
"type": "string",
"example": "READY"
},
"meta": {
"type": "object",
"properties": {
"origin": {
"type": "string",
"example": "API"
},
"userAgent": {
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"inputBodyLen": {
"type": "integer",
"example": 2000
},
"rebootCount": {
"type": "integer",
"example": 0
},
"restartCount": {
"type": "integer",
"example": 0
},
"resurrectCount": {
"type": "integer",
"example": 0
},
"computeUnits": {
"type": "integer",
"example": 0
}
}
},
"options": {
"type": "object",
"properties": {
"build": {
"type": "string",
"example": "latest"
},
"timeoutSecs": {
"type": "integer",
"example": 300
},
"memoryMbytes": {
"type": "integer",
"example": 1024
},
"diskMbytes": {
"type": "integer",
"example": 2048
}
}
},
"buildId": {
"type": "string"
},
"defaultKeyValueStoreId": {
"type": "string"
},
"defaultDatasetId": {
"type": "string"
},
"defaultRequestQueueId": {
"type": "string"
},
"buildNumber": {
"type": "string",
"example": "1.0.0"
},
"containerUrl": {
"type": "string"
},
"usage": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "integer",
"example": 1
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
},
"usageTotalUsd": {
"type": "number",
"example": 0.00005
},
"usageUsd": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "number",
"example": 0.00005
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
}
}
}
}
}
}
}
}
```