Supply chain attacks on Python packages hit hard. In 2023 alone, PyPI researchers flagged over 100 malicious packages stealing cryptocurrency credentials and AWS keys. Vulnerable dependencies amplify this risk across millions of projects. A new client-side HTML tool cuts through the noise: paste your pyproject.toml, requirements.txt, or a GitHub repo URL, and it queries the OSV.dev API for known vulnerabilities. No servers, no installs—just instant results with severity scores, affected ranges, and disclosure links.
OSV.dev, Google’s open-source vulnerability database, powers this. Launched in 2021, it aggregates data from NVD, GitHub Advisories, and ecosystem-specific sources. For Python, it indexes PyPI packages with over 15,000 entries as of mid-2024—far more comprehensive than NVD’s patchy coverage. The API supports CORS-enabled JSON queries, making browser-based tools feasible. This one parses your input file, extracts package names and version constraints, batches queries to endpoints like https://osv.dev/v1/query, and renders results in a table.
Why This Matters for Python Developers
Python dominates data science, web dev, and automation—over 10 million PyPI downloads daily. But transitive dependencies bloat projects: a typical Django app pulls in 100+ packages. One weak link, like the 2023 cryptography lib vuln (CVE-2023-39324, high severity), exposes everything. Historical hits include the 2021 Codecov breach via a .bash_history upload and PyPI typosquatting campaigns mimicking legit libs like tensorflow.
This tool matters because it lowers the barrier to scanning. Run it pre-install or in PR checks. Implications? Teams catch issues early, reducing breach costs—IBM pegs average data breach at $4.45 million. For open-source maintainers, it spotlights unpatched deps before users complain. In CI/CD, embed it via GitHub Actions: fetch repo, pipe to the tool’s JS, fail on criticals. It democratizes access to OSV’s data, which rivals commercial scanners like Snyk but free and offline-capable.
How It Works and Real-World Test
Upload your file. The JS parses TOML or INI format—e.g., from requirements.txt:
requests==2.31.0
cryptography==41.0.4
urllib3==2.0.7It crafts a batch query:
{
"versionFormat": "pypi",
"packages": [
{"package": {"name": "requests", "ecosystem": "PyPI", "version": "2.31.0"}},
...
]
}OSV responds with vulns if any match. For urllib3==2.0.7, it flags CVE-2024-3094 (prototype pollution, medium severity, fixed in 2.2.2). Results link to advisories. GitHub mode fetches pyproject.toml or requirements.txt directly via raw.githubusercontent.com.
Tested on a real project: Flask 3.0.0 deps showed no criticals, but an older click==8.0.1 flagged GHSA-55p5grcg-jf6q-24mf (DoS, low). Accurate, pulls from 300,000+ total OSV records.
Limitations and Smarter Security
Skeptical lens: OSV excels on disclosed vulns but lags zero-days—e.g., missed early SolarWinds-like Python threats. It queries direct deps; transitive ones need tools like pip-audit or pip check. Version ranges can mismatch pinned installs. No static analysis or malware detection—pair with Bandit for code scans.
Better stack: Lock deps with pip-compile from pip-tools, scan in CI with Safety CLI:
$ pip install safety
$ safety check -r requirements.txt --full-reportOr integrate OSV natively via Python client:
>>> import osv
>>> matches = osv.get("pypi", "requests", "2.31.0")
>>> print(matches)Why push further? Python’s 500,000+ packages mean vigilance scales poorly. This tool starts the habit—use it, then automate. Supply chain defenses win wars; one unchecked dep loses them. Fork it, host locally, stay ahead.
