{"id":14483612,"url":"https://github.com/NodeSecure/vulnera","last_synced_at":"2025-08-30T04:31:41.337Z","repository":{"id":37965436,"uuid":"393710501","full_name":"NodeSecure/vulnera","owner":"NodeSecure","description":"Programmatically fetch security vulnerabilities with one or many strategies (NPM Audit, Sonatype, Snyk, Node.js DB).","archived":false,"fork":false,"pushed_at":"2024-08-14T11:20:08.000Z","size":836,"stargazers_count":30,"open_issues_count":6,"forks_count":14,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-08-14T12:45:56.087Z","etag":null,"topics":["audit","nodesecure","npm","security","vuln","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NodeSecure.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-07T14:48:19.000Z","updated_at":"2024-08-14T12:45:57.816Z","dependencies_parsed_at":"2023-11-07T03:10:26.399Z","dependency_job_id":"149e002f-196c-4438-8bc7-65a7d16864e0","html_url":"https://github.com/NodeSecure/vulnera","commit_stats":{"total_commits":125,"total_committers":12,"mean_commits":"10.416666666666666","dds":0.488,"last_synced_commit":"7311c048bd2580687fd6e3e26fbfd9c792118d90"},"previous_names":["nodesecure/vuln"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NodeSecure%2Fvulnera","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NodeSecure%2Fvulnera/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NodeSecure%2Fvulnera/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NodeSecure%2Fvulnera/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NodeSecure","download_url":"https://codeload.github.com/NodeSecure/vulnera/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":217593012,"owners_count":16201561,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","nodesecure","npm","security","vuln","vulnerabilities"],"created_at":"2024-09-03T00:01:54.568Z","updated_at":"2025-08-30T04:31:41.310Z","avatar_url":"https://github.com/NodeSecure.png","language":"TypeScript","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"vulnera\" src=\"https://user-images.githubusercontent.com/43391199/180091156-9cf883b3-05bc-4c69-9943-3d1168818fab.png\" width=\"650\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/NodeSecure/vulnera\"\u003e\n      \u003cimg src=\"https://img.shields.io/github/package-json/v/NodeSecure/vulnera?style=for-the-badge\" alt=\"npm version\"\u003e\n    \u003c/a\u003e\n    \u003ca href=\"https://github.com/NodeSecure/vulnera\"\u003e\n      \u003cimg src=\"https://img.shields.io/github/license/NodeSecure/vulnera?style=for-the-badge\" alt=\"license\"\u003e\n    \u003c/a\u003e\n    \u003ca href=\"https://api.securityscorecards.dev/projects/github.com/NodeSecure/vulnera\"\u003e\n      \u003cimg src=\"https://api.securityscorecards.dev/projects/github.com/NodeSecure/vulnera/badge?style=for-the-badge\" alt=\"ossf scorecard\"\u003e\n    \u003c/a\u003e\n    \u003ca href=\"https://github.com/NodeSecure/vulnera/actions?query=workflow%3A%22Node.js+CI%22\"\u003e\n      \u003cimg src=\"https://img.shields.io/github/actions/workflow/status/NodeSecure/vulnera/main.yml?style=for-the-badge\" alt=\"github ci workflow\"\u003e\n    \u003c/a\u003e\n\u003c/p\u003e\n\nThe **vuln-*era*** has begun! Programmatically fetch security vulnerabilities with one or many strategies. Originally designed to run and analyze [Scanner](https://github.com/NodeSecure/scanner) dependencies it now also runs independently from an npm Manifest.\n\n## Requirements\n- [Node.js](https://nodejs.org/en/) v20 or higher\n\n## Getting Started\n\nThis package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).\n\n```bash\n$ npm i @nodesecure/vulnera\n# or\n$ yarn add @nodesecure/vulnera\n```\n\n## Usage example\n\n```js\nimport * as vulnera from \"@nodesecure/vulnera\";\n\nawait vulnera.setStrategy(\n  vulnera.strategies.GITHUB_ADVISORY\n);\n\nconst definition = await vulnera.getStrategy();\nconsole.log(definition.strategy);\n\nconst vulnerabilities = await definition.getVulnerabilities(process.cwd(), {\n  useFormat: \"Standard\"\n});\nconsole.log(vulnerabilities);\n```\n\n## Available strategy\n\nThe default strategy is **NONE** which mean no strategy at all (we execute nothing).\n\n[GitHub Advisory](./docs/github_advisory.md) | [Sonatype - OSS Index](./docs/sonatype.md) | Snyk\n:-------------------------:|:-------------------------:|:-------------------------:\n\u003cimg src=\"https://upload.wikimedia.org/wikipedia/commons/thumb/d/db/Npm-logo.svg/1200px-Npm-logo.svg.png\" width=\"300\"\u003e | \u003cimg src=\"https://ossindex.sonatype.org/assets/images/sonatype-image.png\" width=\"400\"\u003e | \u003cimg src=\"https://res.cloudinary.com/snyk/image/upload/v1537345894/press-kit/brand/logo-black.png\" width=\"400\"\u003e\n\nThose strategies are described as \"string\" **type** with the following TypeScript definition:\n```ts\ntype Kind = \"github-advisory\" | \"snyk\" | \"sonatype\" | \"none\";\n```\n\nTo add a strategy or better understand how the code works, please consult [the following guide](./docs/adding_new_strategy.md).\n\n## API\n\n```ts\nfunction setStrategy\u003cT extends Kind\u003e(name: T): AllStrategy[T];\nfunction getStrategy(): AnyStrategy;\n\nconst strategies: Object.freeze({\n  GITHUB_ADVISORY: \"github-advisory\",\n  SNYK: \"snyk\",\n  SONATYPE: \"sonatype\",\n  NONE: \"none\"\n});\n\n/** Equal to strategies.NONE by default **/\nconst defaultStrategyName: \"none\";\n```\n\nStrategy extend from the following set of interfaces;\n\n```ts\nexport interface BaseStrategy\u003cT extends Kind\u003e {\n  /** Name of the strategy **/\n  strategy: T;\n  /** Method to hydrate dependency vulnerabilities fetched by the Scanner **/\n  hydratePayloadDependencies: (\n    dependencies: Dependencies,\n    options?: HydratePayloadDepsOptions\n  ) =\u003e Promise\u003cvoid\u003e;\n}\n\nexport interface ExtendedStrategy\u003c\n  T extends Kind, VulnFormat\n\u003e extends BaseStrategy\u003cT\u003e {\n  /** Method to get vulnerabilities using the current strategy **/\n  getVulnerabilities: (\n    path: string,\n    options?: BaseStrategyOptions\n  ) =\u003e Promise\u003c(VulnFormat | StandardVulnerability)[]\u003e;\n}\n\nexport type BaseStrategyFormat = \"Standard\";\n\nexport interface BaseStrategyOptions {\n  useFormat?: BaseStrategyFormat;\n}\n\nexport interface HydratePayloadDepsOptions extends BaseStrategyOptions {\n  /**\n   * Absolute path to the location to analyze\n   * (with a package.json and/or package-lock.json for NPM Audit for example)\n   **/\n  path?: string;\n}\n```\n\nWhere `dependencies` is the dependencies **Map()** object of the NodeSecure Scanner.\n\n\u003e [!NOTE] \n\u003e the option **hydrateDatabase** is only useful for some of the strategy (like Node.js Security WG).\n\n### Formats\n- [Standard](./docs/formats/standard.md)\n\n### Databases\n- [OSV](./docs/database/osv.md)\n- [NVD](./docs/database/nvd.md)\n- [Snyk](./docs/database/snyk.md)\n- [Sonatype](./docs/database/sonatype.md)\n\n## Contributors ✨\n\n\u003c!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section --\u003e\n[![All Contributors](https://img.shields.io/badge/all_contributors-8-orange.svg?style=flat-square)](#contributors-)\n\u003c!-- ALL-CONTRIBUTORS-BADGE:END --\u003e\n\nThanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section --\u003e\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\u003ctable\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://www.linkedin.com/in/thomas-gentilhomme/\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/4438263?v=4?s=100\" width=\"100px;\" alt=\"Gentilhomme\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eGentilhomme\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=fraxken\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=fraxken\" title=\"Documentation\"\u003e📖\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/pulls?q=is%3Apr+reviewed-by%3Afraxken\" title=\"Reviewed Pull Requests\"\u003e👀\u003c/a\u003e \u003ca href=\"#security-fraxken\" title=\"Security\"\u003e🛡️\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/issues?q=author%3Afraxken\" title=\"Bug reports\"\u003e🐛\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"http://tonygo.dev\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/22824417?v=4?s=100\" width=\"100px;\" alt=\"Tony Gorez\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eTony Gorez\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=tony-go\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/pulls?q=is%3Apr+reviewed-by%3Atony-go\" title=\"Reviewed Pull Requests\"\u003e👀\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/issues?q=author%3Atony-go\" title=\"Bug reports\"\u003e🐛\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://antoinecoulon.me/\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/43391199?v=4?s=100\" width=\"100px;\" alt=\"Antoine\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eAntoine\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=antoine-coulon\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/issues?q=author%3Aantoine-coulon\" title=\"Bug reports\"\u003e🐛\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=antoine-coulon\" title=\"Documentation\"\u003e📖\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/OlehSych\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/34604102?v=4?s=100\" width=\"100px;\" alt=\"OlehSych\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eOlehSych\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=OlehSych\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/Mathieuka\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/34446722?v=4?s=100\" width=\"100px;\" alt=\"Mathieu\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eMathieu\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=Mathieuka\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/PierreDemailly\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/39910767?v=4?s=100\" width=\"100px;\" alt=\"PierreD\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003ePierreD\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=PierreDemailly\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=PierreDemailly\" title=\"Documentation\"\u003e📖\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/fabnguess\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/72697416?v=4?s=100\" width=\"100px;\" alt=\"Kouadio Fabrice Nguessan\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eKouadio Fabrice Nguessan\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=fabnguess\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"#maintenance-fabnguess\" title=\"Maintenance\"\u003e🚧\u003c/a\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/AntonioliBenjamin\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/111560667?v=4?s=100\" width=\"100px;\" alt=\"benjamin antonioli\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003ebenjamin antonioli\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=AntonioliBenjamin\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"https://github.com/NodeSecure/vulnera/commits?author=AntonioliBenjamin\" title=\"Tests\"\u003e⚠️\u003c/a\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003c!-- markdownlint-restore --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:END --\u003e\n\n## License\nMIT\n","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNodeSecure%2Fvulnera","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNodeSecure%2Fvulnera","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNodeSecure%2Fvulnera/lists"}