The OSV strategy queries the OSV (Open Source Vulnerability) public API directly. It uses the /v1/querybatch endpoint for efficient batch lookups, resolving vulnerabilities for all dependencies at once.
No credentials or local database synchronization are required.
- Dependencies are extracted from the local project using
NodeDependencyExtractor(via Arborist), which reads fromnode_modulesor falls back to the lockfile. - All
name@versionpairs are batched into chunks of up to 1000 entries and sent to the OSV batch API. - Results are mapped back to each package and optionally converted to the Standard or OSV format.
Scans a local project directory and returns all found vulnerabilities.
import * as vulnera from "@nodesecure/vulnera";
const definition = vulnera.setStrategy(vulnera.strategies.OSV);
const vulnerabilities = await definition.getVulnerabilities(process.cwd());
console.log(vulnerabilities);With the Standard NodeSecure format:
import * as vulnera from "@nodesecure/vulnera";
const definition = vulnera.setStrategy(vulnera.strategies.OSV);
const vulnerabilities = await definition.getVulnerabilities(process.cwd(), {
useFormat: "Standard"
});
console.log(vulnerabilities);Hydrates a Scanner dependencies Map in-place with vulnerability data.
import * as vulnera from "@nodesecure/vulnera";
const dependencies = new Map();
// ...populate dependencies from Scanner...
const definition = vulnera.setStrategy(vulnera.strategies.OSV);
await definition.hydratePayloadDependencies(dependencies);With the Standard NodeSecure format:
await definition.hydratePayloadDependencies(dependencies, {
useFormat: "Standard"
});The strategy uses the OSV database class internally. You can also use it directly for lower-level access to the OSV API (single queries, batch queries, lookup by ID).