Packagr Blog

Security management in Packagr

TL;DR

Packagr now provides dependency security scanning for your packages

What's changing?

From version 1.4.0, Packagr will now attempt to identify any security issues found in your Package's dependencies. Any such issues will be displayed in the Security scan tab of the package view, like so:

Security scans

How does it work?

The security scanner finds the package dependencies from your Package Metadata and checks open source resources to see if there are any known security vulnerabilities for that dependency. Any vulnerabilites found are presented in the view above

How can I find out more about a vulnerability?

Packagr's security vulnerability data comes from CVE details. Clicking on the info icon next to each security vulnerability will open the full details of a given vulnerability on the CVE details website

Why can't I see any security vulnerabilities for my packages?

You won't see any security vulnerabilities for a package in the following cases:

  • Your package has no known security vulnerabilities in its dependencies
  • You are using the free tier - only paid accounts can use the security scanner functionality
  • Your package was uploaded before the Package Metadata feature was added

The Packagr free tier is changing