I built a CVE scanner for Python/Node with zero dependencies. Here's why that matters.
Most dependency scanners are themselves a dependency problem. You install safety or pip-audit and suddenly you're pulling in 12 packages just to check if your 3 packages are safe. That always bothered me.
So I built Depheal. It scans your requirements.txt and package.json for known CVEs and abandoned packages - and it has zero dependencies. Pure Python stdlib. Nothing else.
pip install depheal
depwise scan .
What it actually does
- Hits the OSV.dev API for real CVE data
- Detects abandoned packages (no updates in 3+ years, deprecated, etc.)
- Works on Python and Node projects
--strictflag exits with code 1 - great for CI pipelinesdepwise whyexplains what's wrong with a specific package
Sample output from scanning my own project today:
python-dotenv@1.0 medium 1 CVE fix: 1.1.2
python-dotenv: Symlink following in set_key allows arbitrary file overwrite
1 vulnerable, 1 ok to fix: pip install python-dotenv==1.1.2
Found a real CVE in my own codebase while testing. Caught in 3 seconds.
The bug I fixed today
Version 0.1.0 had an embarrassing flaw. If the network check failed - firewall blocking osv.dev, timeout, rate limit, anything - the tool silently reported every package as ok. No warning. Nothing.
For a security tool that's the worst possible failure mode. You'd think you're safe when you're actually just unchecked.
0.1.1 fixes this. Now it shows unknown (check failed) with an explicit message not to trust the result. Honest output matters more than clean output.
Why zero dependencies?
A scanner that introduces attack surface is a bad scanner. Every dependency you add is something that could have its own CVE tomorrow. Also I built this entirely from my laptop.
What's next
- GitHub Actions support
- Lock file support (
poetry.lock,package-lock.json) - More ecosystems (Go, Rust)
If something's broken or missing, open an issue.
GitHub: https://github.com/hunzo1/depheal
Thanks for reading the full post.
Comments
No comments yet. Start the discussion.