Most dependency scanners are themselves a dependency problem.
You install safety or pip-audit and suddenly you're pulling in 12 packages just to check if your 3 packages are safe. That always bothered me.
So I built Depheal. It scans your requirements.txt and package.json for known CVEs and abandoned packages — and it has zero dependencies. Pure Python stdlib. Nothing else.
pip install depheal
depwise scan .
What it actually does
Hits the OSV.dev API for real CVE data
Detects abandoned packages (no updates in 3+ years, deprecated, etc.)
Works on Python and Node projects
--strict flag exits with code 1 — great for CI pipelines
depwise why explains what's wrong with a specific package
Sample output from scanning my own project today:
"[email protected] medium 1 CVE fix: 1.1.2
python-dotenv: Symlink following in set_key allows arbitrary file overwrite
1 vulnerable, 1 ok
to fix:
pip install python-dotenv==1.1.2"
Found a real CVE in my own codebase while testing. Caught in 3 seconds.
The bug I fixed today
Version 0.1.0 had an embarrassing flaw.
If the network check failed — firewall blocking osv.dev, timeout, rate limit, anything — the tool silently reported every package as ok. No warning. Nothing.
For a security tool that's the worst possible failure mode. You'd think you're safe when you're actually just unchecked.
0.1.1 fixes this. Now it shows unknown (check failed) with an explicit message not to trust the result.
Honest output matters more than clean output.
Why zero dependencies?
A scanner that introduces attack surface is a bad scanner. Every dependency you add is something that could have its own CVE tomorrow.
Also I built this entirely from my laptop
What's next
GitHub Actions support
Lock file support (poetry.lock, package-lock.json)
More ecosystems (Go, Rust)
If something's broken or missing, open an issue.
GitHub: https://github.com/hunzo1/depheal
Thanks for reading the full post.
United States
NORTH AMERICA
Related News

Master Local Fine-Tuning with "gemma-trainer"
8h ago
Building a Plugin-Free Newsletter Popup on WordPress: Custom REST Endpoint Mailchimp API v3
8h ago
ภาษาโปรแกรมมิ่งที่ syntax ง่าย ทำให้ AI หลอนน้อยลง จริงหรือ?
8h ago
How I Built a File-Timestamp-Based Feedback Loop to Enforce AI Output Quality
8h ago
GitHub Trending Digest — 2026-07-07
9h ago