Your code is only as secure as its dependencies. VEXLIT scans 12 package ecosystems - npm, yarn, pnpm, pip, Go, Cargo, Maven, Gradle, NuGet, Ruby, PHP, Swift, and Dart - for known vulnerable packages and suggests upgrade paths with minimal breaking changes.
Open-source libraries ship millions of lines of code you didn't write. A single vulnerable dependency can expose your entire application.
84%
of codebases have at least one known vulnerability in dependencies
12
package ecosystems supported
< 5s
to scan all dependencies
$ npx @vexlit/cli scan . --sca Scanning dependencies... CRITICAL [email protected] CVE-2021-23337 - Command Injection Fix: upgrade to >= 4.17.21 HIGH [email protected] CVE-2024-29041 - Open Redirect Fix: upgrade to >= 4.19.2
Dependencies analyzed: 847 Direct: 42 | Transitive: 805 Vulnerabilities found: Critical: 1 | High: 3 | Medium: 7 | Low: 12 License issues: GPL-3.0: 2 packages AGPL-3.0: 1 package
VEXLIT reads your package-lock.json, yarn.lock, go.sum, Cargo.lock, and other lock files to build a complete dependency graph.
Every package and version is checked against OSV, GitHub Advisory (GHSA), and NVD databases in parallel for comprehensive coverage.
Get the exact minimum version that fixes each vulnerability. VEXLIT considers semver compatibility to minimize breaking changes.
SCA results appear alongside SAST findings in pull request reviews. Lock file changes automatically trigger dependency analysis.
VEXLIT analyzes dependencies across 12 package ecosystems and all major languages.
npm
Yarn
pnpm
pip
Maven
Gradle
Cargo
Go
NuGet
Bundler
Composer
Swift PM
Deep parsing of lock files and manifests across 12 ecosystems - npm, pip, Go modules, Cargo, Maven, Gradle, NuGet, Gemfile, Composer, and more. Every transitive dependency is checked against OSV, GitHub Advisory, and NVD databases.
Don't just find vulnerable packages - get the exact upgrade command. VEXLIT suggests the minimum version bump that fixes the vulnerability.
SCA results appear alongside SAST findings in PR reviews. Dependency vulnerabilities are flagged when lock files change.
Vulnerabilities in deeply nested dependencies are surfaced with the full dependency chain - so you know exactly which package to update.
Detect GPL, AGPL, and other copyleft licenses in your dependency tree. Avoid legal risk by catching license conflicts before they reach production.
Every package is checked against OSV, GitHub Advisory, and NVD databases simultaneously. Cross-referencing ensures no known vulnerability is missed.
“I built VEXLIT because every scanner I tried was either drowning me in false positives or missing real vulnerabilities. I wanted a tool that actually traces data flow - not just regex matching. So I built a taint analysis engine, verified it against industry benchmarks, and made the CLI free for everyone.”
Jihoon
Creator of VEXLIT
We use VEXLIT to scan VEXLIT's own codebase. Every commit runs through the same engine you use.
98.2%
True Positive Rate
< 2%
False Positive Rate
6,200+
Security Rules
34
Languages
Independently tested
Verified on OWASP Benchmark (2,740 cases) & Juliet Test Suite (6,864 cases)
Validated on real-world open source projects including WebGoat and NodeGoat.
VEXLIT scans your lockfiles and flags packages with known CVEs before they reach production.
{
"dependencies": {
"lodash": "4.17.20",
"express": "4.17.1",
"jsonwebtoken": "8.5.1",
"axios": "0.21.1"
}
}{
"dependencies": {
"lodash": "4.17.21",
"express": "4.21.0",
"jsonwebtoken": "9.0.2",
"axios": "1.7.4"
}
}[email protected] has a known prototype pollution vulnerability. Upgrade to 4.17.21+.
npm (package-lock.json)
Yarn (yarn.lock)
pnpm (pnpm-lock.yaml)
pip (requirements.txt, Pipfile.lock)
Go Modules (go.sum)
Cargo (Cargo.lock)
Maven (pom.xml)
Gradle (build.gradle)
NuGet (packages.config, *.csproj)
Bundler (Gemfile.lock)
Composer (composer.lock)
Dart/Flutter (pubspec.lock)
openSourceSecurity.ecosystem13
openSourceSecurity.ecosystem14
openSourceSecurity.ecosystem15
openSourceSecurity.ecosystem16
openSourceSecurity.ecosystem17
VEXLIT supports all major lock file formats: package-lock.json (npm), yarn.lock, pnpm-lock.yaml, go.sum, Cargo.lock, Gemfile.lock, composer.lock, Pipfile.lock, and more - 12 ecosystems total.
VEXLIT builds a full dependency graph from your lock file, tracing every transitive dependency. When a nested package is vulnerable, you see the full chain from your direct dependency to the affected package.
Three databases in parallel: OSV (primary, open-source), GitHub Advisory Database (GHSA), and the National Vulnerability Database (NVD). Results are deduplicated by advisory ID.
Yes. VEXLIT categorizes licenses as Strong Copyleft (GPL/AGPL), Weak Copyleft (LGPL/MPL), or Permissive (MIT/Apache/BSD). Copyleft licenses in your dependency tree are flagged for review.
Typically under 5 seconds for most projects. VEXLIT parses lock files locally and queries vulnerability databases in parallel, so even projects with 1000+ dependencies scan quickly.
Start securing your code today - free to use and ready in seconds.