Skip to content

feat: show vulnerability warnings for direct dependencies#167

Merged
danielroe merged 16 commits intonpmx-dev:mainfrom
Flo0806:feat/deps-vulnerability
Jan 28, 2026
Merged

feat: show vulnerability warnings for direct dependencies#167
danielroe merged 16 commits intonpmx-dev:mainfrom
Flo0806:feat/deps-vulnerability

Conversation

@Flo0806
Copy link
Copy Markdown
Contributor

@Flo0806 Flo0806 commented Jan 27, 2026

Resolves: #47

Summary

Features:

  • New server API endpoint /api/osv/vulnerabilities that batch-queries the OSV API for npm packages
  • Vulnerability banner in PackageDependencies.vue showing total count and severity breakdown
  • Inline security icons next to affected dependencies with tooltip details
  • Collapsible vulnerability details in PackageVulnerabilities.vue with expandable list

Refactoring:

  • Created shared/utils/severity.ts with global severity color constants and helpers
  • Removed duplicate severity definitions across components
  • PackageVulnerabilities.vue now uses the shared OSV endpoint instead of direct API calls

Tests:

  • tests for severity utils
  • tests for tooltip and severity class helpers

Live testing

search for package-json then in detail choose version 5.0.0 you will see the GET package has vulnerabilities. klick on the shield icon jumps to the detail page of GET and shows details.

@vercel
Copy link
Copy Markdown

vercel Bot commented Jan 27, 2026

@Flo0806 is attempting to deploy a commit to the danielroe Team on Vercel.

A member of the Team first needs to authorize it.

danielroe
danielroe reviewed Jan 27, 2026
View reviewed changes
Comment thread server/api/osv/vulnerabilities.post.ts Outdated
@Flo0806 Flo0806 force-pushed the feat/deps-vulnerability branch from b2b9354 to ab53d74 Compare January 28, 2026 15:24
@vercel
Copy link
Copy Markdown

vercel Bot commented Jan 28, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
docs.npmx.dev Ready Ready Preview, Comment Jan 28, 2026 10:34pm
npmx-lunaria Error Error Jan 28, 2026 10:34pm
npmx.dev Ready Ready Preview, Comment Jan 28, 2026 10:34pm

Request Review

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 28, 2026
edited
Loading

Lunaria Status Overview

🌕 This pull request will trigger status changes.

Learn more

By default, every PR changing files present in the Lunaria configuration's files property will be considered and trigger status changes accordingly.

You can change this by adding one of the keywords present in the ignoreKeywords property in your Lunaria configuration file in the PR's title (ignoring all files) or by including a tracker directive in the merged commit's description.

Tracked Files

File Note
i18n/locales/en.json Source changed, localizations will be marked as outdated.
i18n/locales/fr.json Localization changed, will be marked as complete. 🔄️
i18n/locales/it.json Localization changed, will be marked as complete. 🔄️
i18n/locales/zh-CN.json Localization changed, will be marked as complete. 🔄️
Warnings reference
Icon Description
🔄️ The source for this localization has been updated since the creation of this pull request, make sure all changes in the source have been applied.

@danielroe danielroe merged commit 154d47b into npmx-dev:main Jan 28, 2026
11 of 12 checks passed
@lino-levan lino-levan mentioned this pull request Jan 29, 2026
Merged
fatfingers23 pushed a commit to fatfingers23/npmx.dev that referenced this pull request Jan 29, 2026
@Flo0806 @fatfingers23
feat: show vulnerability warnings for direct dependencies (npmx-dev#167)
b0cdff1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielroe danielroe danielroe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

show vulnerability warnings for direct dependencies

2 participants

@Flo0806 @danielroe