vulnerabilities
InactiveTool of Osv Dev
Find vulnerabilities affecting a package — optionally narrowed to a specific version, or alternatively by git commit hash. Pass package_name + ecosystem (npm / PyPI / Maven / NuGet / RubyGems / crates.io / Packagist / Hex / Pub / Go / Debian / Alpine / Ubuntu / Linux). Returns shaped vuln list with severity_level, affected_summary (introduced→fixed ranges), aliases, references, advisory_url. Use for "is lodash 4.17.4 safe", "what hits requests<2.20", "every CVE for log4j".
Parameters schema
{
"type": "object",
"examples": [
{
"version": "4.17.20",
"ecosystem": "npm",
"package_name": "lodash"
},
{
"commit": "6879efc2c1596d11a6e2048270e8dfc2c871a7fb"
}
],
"properties": {
"commit": {
"type": "string",
"description": "Mutually exclusive with package_name — for source-only / pre-publication code (typical for Go modules, custom forks, vendored deps)."
},
"version": {
"type": "string",
"description": "Optional specific version to narrow to ones affecting that exact version. Omit to return ALL vulns ever reported."
},
"ecosystem": {
"type": "string",
"description": "npm | PyPI | crates.io | Go | Maven | NuGet | RubyGems | Hex | Pub | Packagist | GitHub Actions | Debian:12 | Ubuntu | Alpine | Linux"
},
"package_name": {
"type": "string",
"description": "Package name. For Maven use \"groupId:artifactId\"."
}
}
}No endpoints wrapped at confidence ≥ 0.70.
Parent server
Osv Dev
https://github.com/pipeworx-io/mcp-osv-dev
1/7 registries