PackageFix is a free browser-based dependency security fixer. Paste your manifest file and get back a fixed version with every vulnerable package patched.
Supports 7 ecosystems: npm, PyPI, Ruby, PHP, Go, Rust, and Java/Maven.
Beyond CVE scanning — also detects:
- Glassworm/Unicode injection in manifest scripts
- Typosquatting (one char off a popular package)
- Zombie packages (unmaintained but widely used)
- Suspicious maintainer activity
- Build script danger (curl/wget in postinstall)
- Unpinned version warnings
Uses the OSV vulnerability database (updated daily) and CISA KEV catalog. Everything runs client-side - nothing leaves your browser.
MIT licensed, open source.
github.com/metriclogic26/packagefix


