โ† Back to home
๐Ÿ”’ Runs 100% in your browser โ€” your files never leave your device

Paste your manifest. Get back the fixed files. No login. No GitHub. No CLI. npm ยท PyPI ยท Ruby ยท PHP ยท Go ยท Rust ยท Java

Drop manifest here or click to upload

package.json ยท requirements.txt ยท Gemfile ยท composer.json
go.mod ยท Cargo.toml ยท Cargo.lock ยท pom.xml

Drop lockfile here (optional)

package-lock.json, poetry.lock, Gemfile.lock, composer.lock

๐Ÿ’ก Drop your Gemfile.lock here for full transitive analysis


      

    


    

      
โ— Parsing manifest...

      
โ— Fetching current versions from registry...

      
โ— Checking OSV vulnerability database...

      
โ— Checking CISA KEV catalog...

      
โ— Computing fix versions...

    


    

      

    


    

      

        Scan:
        
        
        
      

    

    

    
    

        
        No file? Try an example โ€” npm, PyPI, Ruby, PHP, Go, Rust, or Java โ†’
      
    


    

      
How it works

      

        

          
1. Paste

          
Drop your manifest

          
npm, PyPI, Ruby, PHP, Go, Rust or Java

        

        

          
2. Scan

          
Live CVE lookup

          
from OSV database & CISA KEV

        

        

          
3. Download

          
Fixed manifest +

          
changelog .zip in one click

        

      

      
Frequently asked questions

      

        

          
Does my manifest file leave my browser?+

          
No. Parsing happens entirely in your browser. Only package names and version ranges are sent to public APIs (OSV, npm registry, PyPI, RubyGems, Packagist) โ€” the same requests any package manager makes. Your actual code and file contents never leave your device.

        

        

          
How current is the vulnerability data?+

          

            PackageFix queries the OSV database live on every scan.
            OSV aggregates from GitHub Advisory Database, RustSec,
            PyPA, Go vulnerability database, RubyGems Security,
            and FriendsOfPHP โ€” updated continuously.
            New advisories typically appear within 24 hours of
            publication. CISA KEV data is checked on every scan
            to flag actively exploited vulnerabilities.
          

        

        

          
What is the CISA KEV catalog?+

          

            The CISA Known Exploited Vulnerabilities catalog is maintained by
            the US Cybersecurity and Infrastructure Security Agency. It lists
            vulnerabilities actively being exploited in real attacks right now.
            A package flagged with a red KEV dot should be treated as an
            emergency fix โ€” not a routine update.
          

        

        

          
How is this different from Snyk or Dependabot?+

          
Snyk and Dependabot require a GitHub connection, CLI install, or account signup. PackageFix runs entirely in your browser โ€” nothing installed, nothing connected, nothing written to your system. Paste your file, get back the fixed version in seconds. Safe to use even where third-party integrations are blocked by security policy.

        


        

          

            Which package ecosystems are supported?
            +
          

          

            PackageFix supports 7 ecosystems: npm (Node.js), PyPI (Python),
            RubyGems (Ruby), Packagist (PHP), Go modules (go.mod),
            Rust/Cargo (Cargo.toml), and Maven/Java (pom.xml).
            Drop your manifest file or try a built-in example for any ecosystem.
          

        

        

          

            Why do I see network errors in the browser console?
            +
          

          

            The CISA KEV feed blocks direct browser requests due to CORS 
            policy. PackageFix automatically falls back to a 
            built-in list of actively exploited CVEs โ€” all scans 
            work correctly and CISA KEV flags still appear as expected.
            This does not affect scan accuracy.
          

        

        

          

            Does PackageFix work in restricted corporate environments?
            +
          

          

            Yes. PackageFix runs entirely in your browser with no 
            installation, no GitHub connection, and no account required. 
            It only makes outbound requests to public APIs (OSV, npm 
            registry, PyPI) โ€” the same requests any package manager 
            makes. This makes it safe to use in organizations where 
            Dependabot, Snyk, or other tools are blocked by security 
            policy.
          

        


        

          

            Are Maven ${variable} versions supported?
            +
          

          

            Yes. PackageFix resolves property variables like 
            ${spring.version} from the <properties> block 
            in your pom.xml before scanning. If a variable is 
            defined in a parent POM rather than locally, it cannot 
            be resolved in a browser-only tool โ€” add the property 
            directly to your pom.xml for an accurate scan.
          

        


        

          

            Can I use PackageFix from the terminal?
            +
          

          

            Yes โ€” pipe any manifest directly into PackageFix
            from your terminal:

            npm / Node.js:
            
B64=$(base64 -i package.json) && open "https://packagefix.dev/?file=$B64"


            Python:
            
B64=$(base64 -i requirements.txt) && open "https://packagefix.dev/?file=$B64"


            Ruby:
            
B64=$(base64 -i Gemfile) && open "https://packagefix.dev/?file=$B64"


            On Linux, replace 'open' with 'xdg-open'.
            The file is decoded entirely in your browser โ€”
            nothing is sent to a server.