npm vs PyPI Dependency Security
Both npm and PyPI have extensive CVE coverage via OSV. Key differences: npm uses package-lock.json for transitive scanning, PyPI uses poetry.lock or pip freeze. PackageFix handles both ecosystems identically.
| Feature | npm | PyPI |
|---|---|---|
| Manifest file | package.json | requirements.txt |
| Lockfile | package-lock.json | poetry.lock / pip freeze |
| CVE database | OSV + GitHub Advisory | OSV + PyPI Advisory |
| CISA KEV packages | express, lodash, qs, vm2 | PyYAML, urllib3 |
| Transitive scanning | Via package-lock.json | Via poetry.lock |
| PackageFix support | ✅ Full | ✅ Full |
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
Does PackageFix replace these tools?
PackageFix is a browser-based scanner for quick one-off scans. For automated CI/CD scanning, use the CLI tools in your pipeline. PackageFix generates the Renovate config and GitHub Actions workflow you need.
Is PackageFix free?
Yes — completely free, MIT licensed, open source.
Which ecosystems does PackageFix support?
npm, PyPI, Ruby, PHP, Go, Rust, and Java/Maven — 7 ecosystems in one tool.
Does PackageFix require GitHub?
No. Paste any manifest file directly — no GitHub connection, no account, no CLI.