Multi-Ecosystem
Supports npm, Python, Ruby, Go, and Rust with more coming soon
Remote Repository Scanning
Clone and scan any Git repository directly without manual setup
Multiple Data Sources
Queries OSV for comprehensive vulnerability coverage
Provenance Verification
Automatically checks for SLSA provenance attestations to verify package integrity in NPM and PyPI
Beautiful UI
Colorful, emoji-rich terminal output with automatic light/dark mode detection
CI/CD Ready
JSON output and exit codes make it perfect for automation pipelines
Severity Filtering
Filter vulnerabilities by severity level (CRITICAL, HIGH, MEDIUM, LOW)
Dependency Pinning
Ensure dependencies are pinned for Node.js and Python
Recursive Scanning
Automatically finds all dependency files in your project tree
Fast & Efficient
Parallel API requests and smart caching for quick scans
Extensible
Easy to add new data sources and package managers
Optional LLM Scanning
Optionally provide an API key to scan with frontier LLM models
Install globally:
npm install -g who-touched-my-packages
Scan your project:
Thatβs it! The tool will recursively scan your project and report any vulnerabilities π
π‘οΈ Who Touched My Packages?
Scanning dependencies for vulnerabilities...
β Found 2 dependency file(s)
β Parsed 16 package(s)
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π‘οΈ Security Audit Summary
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Scanned Packages: 16
Total Vulnerabilities: 3
π΄ Critical: 1
π High: 2
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Why Who Touched My Packages?
- Beautiful UX: Security tools should be pleasant to use
- Multiple Sources: Donβt rely on a single vulnerability database
- Extensible: Easy to add new data sources and package managers
- Fast: Optimized for large monorepos
- Free: No API keys or paid plans required