Skip to main content

ovecc audit

Checks declared dependencies against the local OSV vulnerability database in .ovecc/osv/. Reads npm package-lock.json today (other lockfile formats are planned). Offline by default; --fetch first downloads the advisories for exactly the packages you use.

:::info The only networked command audit --fetch is the only ovecc operation that ever touches the network — and only with this flag. Everything else, including plain audit, is fully offline. :::

Usage: ovecc audit [OPTIONS]

Example

Offline with an empty cache — honest about it:

$ ovecc audit
Dependency audit (OSV): scanned 3 package(s) against 0 advisor(ies)
Vulnerabilities: 0
(no OSV database in .ovecc/osv/ — sync advisories to enable matching)

Fetch, then match:

$ ovecc audit --fetch
Fetched 8 new advisory(ies) for 3 package(s).
Dependency audit (OSV): scanned 3 package(s) against 8 advisor(ies)
Vulnerabilities: 8

[High] Vulnerable dependency: lodash@4.17.15 (GHSA-p6mc-m468-83gw)
[High] Vulnerable dependency: express@4.18.2 (GHSA-rv95-896h-c2vc)
[High] Vulnerable dependency: lodash@4.17.15 (GHSA-35jh-r3h4-6jhm)
...

Once fetched, the advisories are cached in .ovecc/osv/ and subsequent offline runs match against them.

Options

OptionEffect
--fetchDownload OSV advisories for the discovered packages into .ovecc/osv/ first (network, opt-in)
--fail-on <medium|high|any>Exit 1 when a finding crosses the threshold

Plus the global options.

Notes

  • Severity follows the advisory's own label (GHSA low/moderate/high/critical); advisories without a label default to High, conservatively.
  • Advisories are tracked as their own snapshot metric (dependency_advisories), separate from security_findings — so fetching new advisories never looks like a code-quality regression in drift.
  • In air-gapped CI, run --fetch on a machine with access and cache/commit the .ovecc/osv/ directory into your pipeline.