PackageFix vs OSV Scanner
Google's OSV Scanner is the closest technical equivalent to PackageFix's data source — both query api.osv.dev. The key difference is the interface: OSV Scanner is a CLI tool you install and run, PackageFix is a browser tool you paste into.
| Feature | PackageFix | OSV Scanner |
|---|---|---|
| Interface | Browser — no install | CLI — requires install |
| Fix output | ✅ Downloads fixed manifest | ❌ Report only |
| CISA KEV flags | ✅ Yes | ❌ No |
| Supply chain detection | ✅ Yes | ❌ CVEs only |
| Data source | OSV API + CISA KEV | OSV API |
| 7 ecosystems | ✅ Yes | ✅ Yes |
| CI integration | ❌ Manual only | ✅ GitHub Action available |
| Free | ✅ Yes | ✅ Yes |
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does PackageFix replace these tools?
PackageFix is a browser tool for quick one-off scans. Enterprise SCA platforms like Mend and Sonatype add value at scale — automated scanning, policy enforcement, audit trails. Use PackageFix for immediate checks and enterprise tools for continuous coverage.
Is PackageFix free?
Yes — completely free, MIT licensed, open source.
Which ecosystems does PackageFix support?
npm, PyPI, Ruby, PHP, Go, Rust, and Java/Maven — 7 ecosystems.