Paste any package name and version — see its CVEs, CVSS scores, version age, and latest release in seconds. 8 ecosystems · ecosystem auto-detected · powered by OSV.dev · no login · no tracking · no data stored.
bene-version-checker is an open-source package security tool that lets you audit any single dependency across eight language ecosystems. Enter a package name and version to instantly see:
- All known CVEs with CVSS v3.1 scores and affected version ranges
- How old the version you are running is
- The current latest stable release from the official registry
- A severity summary (CRITICAL / HIGH / MEDIUM / LOW)
No API keys. No accounts. All external calls to OSV and registry APIs happen server-side — your browser only ever contacts this site.
| Ecosystem | Language | Package format | Example |
|---|---|---|---|
| npm | JavaScript / TypeScript | package or @scope/package |
lodash, @babel/core |
| PyPI | Python | package |
requests |
| Maven | Java / JVM | groupId:artifactId |
org.springframework:spring-core |
| Go | Go | full module path | github.com/gin-gonic/gin |
| crates.io | Rust | crate |
serde |
| RubyGems | Ruby | gem |
rails |
| NuGet | .NET / C# | Package.Name |
Newtonsoft.Json |
| Packagist | PHP | vendor/package |
laravel/framework |
Ecosystem is auto-detected from the package name format — a confidence badge (auto-detected / likely) is shown in the UI. The dropdown can always be overridden manually.
- CVE lookup via OSV.dev — Google's Open Source Vulnerability database
- CVSS v3.1 base score — calculated directly from the vector string (spec-verified, no external library)
- Version normalization — strips
^,~=,>=,v-prefix, NuGet bracket ranges before querying - Ecosystem auto-detection — high/medium confidence classification from name format alone
- Latest version — fetched from each ecosystem's official registry in parallel with OSV
- Version age — how long ago the queried version was released
- Affected ranges — introduced/fixed version ranges from OSV data across all affected entries
- Per-IP rate limiting — 30 requests/minute (configurable via
.env) - No login · No tracking · No data stored
Security was a primary design concern for public deployment.
| Protection | Implementation |
|---|---|
| Content Security Policy | connect-src 'self' — the browser contacts nothing except this app |
| HSTS | max-age=63072000; includeSubDomains — enforces HTTPS at the transport layer |
| X-Frame-Options | DENY — prevents clickjacking in legacy browsers |
| X-Content-Type-Options | nosniff — prevents MIME-type sniffing |
| Rate limiting | 30 req/min per IP, sliding window algorithm, configurable |
| Input validation | Length limits (200 / 100 chars), character denylist, version normalization before any external call |
| URL sanitization | safeUrl() rejects javascript: and data: URIs from OSV reference data |
| Server-side API calls | OSV, npm, PyPI, crates.io, etc. are called on the server — not from the browser |
| Error sanitization | Stack traces and upstream error details never reach the client |
| Method restriction | /api/inspect returns 405 for all non-POST methods |
| External links | All CVE links use rel="noopener noreferrer" |
| No external scripts | Zero third-party JavaScript loaded in the browser |
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router) |
| Language | TypeScript (strict mode) |
| Styling | Tailwind CSS 3 |
| Fonts | IBM Plex Mono, IBM Plex Sans |
| CVE data | OSV.dev — free, no API key required |
| CVSS scoring | Implemented inline to CVSS v3.1 spec |
git clone https://github.com/Beneking102/bene-version-checker.git
cd bene-version-checker
npm install
npm run devOpen http://localhost:3000.
| Command | Description |
|---|---|
npm run dev |
Development server with hot reload |
npm run build |
Production build |
npm run start |
Serve the production build |
npm run type-check |
TypeScript check without emitting files |
npm run lint |
ESLint |
Copy .env.example to .env.local and adjust as needed. No API keys are required — OSV.dev is a free public endpoint.
# Maximum requests per IP per window (default: 30)
RATE_LIMIT_MAX=30
# Window duration in milliseconds (default: 60 s)
RATE_LIMIT_WINDOW_MS=60000Serverless note: The default rate limiter is in-memory and resets on cold starts (Vercel, Netlify). For persistent rate limiting in production, replace the store in
lib/rateLimit.tswith Upstash Redis, which has a generous free tier and a Next.js SDK.
npx vercelNo environment variables required for basic use. Set RATE_LIMIT_MAX and RATE_LIMIT_WINDOW_MS if you want non-default limits.
npm run build
npm start # runs on port 3000 by defaultPlace the app behind a reverse proxy that handles TLS termination. Caddy is the easiest option — it provisions and renews a free Let's Encrypt certificate automatically when you point a domain at it:
# /etc/caddy/Caddyfile
example.com {
reverse_proxy localhost:3000
}
With nginx + Certbot:
sudo certbot --nginx -d example.comCertificate note: HTTPS/TLS certificates are managed at the reverse-proxy layer, not inside Next.js. Platforms like Vercel and Netlify provision them automatically with no configuration needed.
All external calls (OSV, registries) happen server-side. The browser only posts to this endpoint.
Request body
{
"name": "lodash",
"version": "4.17.20",
"ecosystem": "npm"
}ecosystem must be one of: npm · PyPI · Maven · Go · crates.io · RubyGems · NuGet · Packagist
version accepts raw formats: 4.17.20, ^4.17.20, ~=4.17, >=4.0.0 <5, v4.17.20, [4.0.0, 5.0.0)
Success response — 200 OK
{
"name": "lodash",
"version": "4.17.20",
"originalVersion": "^4.17.20",
"ecosystem": "npm",
"latest": "4.17.21",
"releaseDate": "2021-02-20T14:52:47.000Z",
"vulns": [
{
"id": "GHSA-35jh-r3h4-6jhm",
"summary": "Command Injection in lodash",
"cvssScore": 7.2,
"severity": "HIGH",
"published": "2021-02-15T00:00:00Z",
"link": "https://osv.dev/vulnerability/GHSA-35jh-r3h4-6jhm",
"affectedRanges": [
{ "introduced": "0", "fixed": "4.17.21" }
]
}
]
}originalVersion is only present when the input was normalized (e.g. ^4.17.20 → 4.17.20).
Response headers
| Header | Description |
|---|---|
X-RateLimit-Remaining |
Requests remaining in the current window (present on all responses after rate-limit check) |
Retry-After |
Seconds until the window resets (only on 429) |
Error codes
| HTTP | code |
Meaning |
|---|---|---|
400 |
INVALID_JSON |
Body is not valid JSON |
400 |
INVALID_BODY |
Body is not a JSON object |
422 |
MISSING_NAME |
name field absent or empty |
422 |
MISSING_VERSION |
version field absent or empty |
422 |
INVALID_ECOSYSTEM |
ecosystem not in the supported list |
422 |
NAME_TOO_LONG |
name exceeds 200 characters |
422 |
VERSION_TOO_LONG |
version exceeds 100 characters |
422 |
INVALID_VERSION |
Version string could not be parsed |
422 |
INVALID_CHARS |
Input contains disallowed characters |
429 |
RATE_LIMITED |
Too many requests — check Retry-After |
502 |
UPSTREAM_ERROR |
OSV or registry temporarily unavailable |
Business Source License 1.1
Licensor: Benedikt Pankratz
Licensed Work: bene-version-checker
Change Date: January 1, 2028
Change License: MIT
In plain English:
- ✓ Free to use for personal and non-commercial purposes, right now
- ✓ The source code converts to the MIT license on January 1, 2028
- ✗ Commercial use before that date requires a separate written agreement
For the full license text see BUSL-1.1.
| Tool | Description |
|---|---|
| bene-npm-scanner | Paste a full package.json — bulk CVE scan for all npm dependencies at once |
| bene-version-checker | ← this repo — single-package CVE audit across 8 ecosystems |
© 2026 Benedikt Pankratz · @Beneking102