ovecc audit
Checks declared dependencies against the local OSV vulnerability database in
.ovecc/osv/. Reads npm package-lock.json today (other lockfile formats are
planned). Offline by default; --fetch first downloads the advisories for exactly
the packages you use.
:::info The only networked command
audit --fetch is the only ovecc operation that ever touches the network — and
only with this flag. Everything else, including plain audit, is fully offline.
:::
Usage: ovecc audit [OPTIONS]
Example
Offline with an empty cache — honest about it:
$ ovecc audit
Dependency audit (OSV): scanned 3 package(s) against 0 advisor(ies)
Vulnerabilities: 0
(no OSV database in .ovecc/osv/ — sync advisories to enable matching)
Fetch, then match:
$ ovecc audit --fetch
Fetched 8 new advisory(ies) for 3 package(s).
Dependency audit (OSV): scanned 3 package(s) against 8 advisor(ies)
Vulnerabilities: 8
[High] Vulnerable dependency: lodash@4.17.15 (GHSA-p6mc-m468-83gw)
[High] Vulnerable dependency: express@4.18.2 (GHSA-rv95-896h-c2vc)
[High] Vulnerable dependency: lodash@4.17.15 (GHSA-35jh-r3h4-6jhm)
...
Once fetched, the advisories are cached in .ovecc/osv/ and subsequent offline runs
match against them.
Options
| Option | Effect |
|---|---|
--fetch | Download OSV advisories for the discovered packages into .ovecc/osv/ first (network, opt-in) |
--fail-on <medium|high|any> | Exit 1 when a finding crosses the threshold |
Plus the global options.
Notes
- Severity follows the advisory's own label (GHSA low/moderate/high/critical); advisories without a label default to High, conservatively.
- Advisories are tracked as their own snapshot metric (
dependency_advisories), separate fromsecurity_findings— so fetching new advisories never looks like a code-quality regression indrift. - In air-gapped CI, run
--fetchon a machine with access and cache/commit the.ovecc/osv/directory into your pipeline.
Related
- Security analysis guide
security— findings in your code