How to Check If Your Dependencies Are Vulnerable (30 Lines of Python)

Last week a critical vulnerability was found in a popular npm package. It had been there for 3 months. Nobody noticed. Here's how to build a vulnerability scanner in 30 lines of Python — so you catch these before production. The Scanner import requests import sys def scan_requirements ( filepath ): """ Scan Python requirements.txt for known vulnerabilities """ vulns_found = 0 with open ( filepath ) as f : for line in f : line = line . strip () if not line or line . startswith ( ' # ' ) or ' == ' not in line : continue package , version = line . split ( ' == ' , 1 ) resp = requests . post ( ' https://api.osv.dev/v1/query ' , json = { ' package ' : { ' name ' : package . strip (), ' ecosystem ' : ' PyPI ' }, ' version ' : version . strip () }) vulns = resp . json (). get ( ' vulns ' , []) if vulns : vulns_found += len ( vulns ) print ( f " ⚠️ { package } == { version } : { len ( vulns ) } vulnerabilities " ) for v in vulns [: 3 ]: severity = v . get ( ' database_specific ' , {}). get ( '