PackageFix icon
PackageFix icon

PackageFix

PackageFix is a free browser-based dependency security fixer. Paste your manifest file and get back a fixed version with every vulnerable package patched — ready to download in one click.

Live CVE scan via OSV database. CISA KEV banner flags actively exploited packages first. Health score, severity badges, fix versions, and side-by-side diff all in one view.

Cost / License

  • Free
  • Open Source (MIT)

Application type

Alerts

  • Discontinued

Platforms

  • Online
Discontinued

This project is no longer actively maintained. The live site has been taken offline. The code remains available under the MIT license for anyone who wishes to fork and self-host.

0likes
1comment
0articles

Features

Properties

  1.  Privacy focused

Features

  1.  Ad-free
  2.  Dark Mode
  3.  No registration required
  4.  No Tracking
  5.  Package Manager

PackageFix News & Activities

Highlights All activities

Recent activities

PackageFix information

  • Developed by

    US flagMetric Logic
  • Licensing

    Open Source (MIT) and Free product.
  • Alternatives

    16 alternatives listed
  • Supported Languages

    • English

AlternativeTo Categories

DevelopmentSecurity & Privacy

GitHub repository

  •  4 Stars
  •  0 Forks
  •  0 Open Issues
  •   Updated  (Archived)
View on GitHub

Our users have written 1 comments and reviews about PackageFix, and it has gotten 0 likes

PackageFix was added to AlternativeTo by metriclogic on and this page was last updated .

Comments and Reviews

   
Remco
0

Is no longer actively maintained.

What is PackageFix?

PackageFix is a free browser-based dependency security fixer. Paste your manifest file and get back a fixed version with every vulnerable package patched — ready to download in one click.

Supports 7 ecosystems: npm, PyPI, Ruby, PHP, Go, Rust, and Java/Maven. Also accepts lockfiles for transitive dependency scanning (package-lock.json, poetry.lock, Gemfile.lock, Cargo.lock, composer.lock).

Beyond CVE scanning, PackageFix detects supply chain attacks that npm audit misses:

  • Glassworm/Unicode injection in manifest scripts
  • Typosquatting (one character off a popular package)
  • Zombie packages (unmaintained but widely depended on)
  • Suspicious packages (dormant then suddenly updated)
  • Build script danger (curl/wget in postinstall/build.rs)
  • Unpinned version warnings (* and latest)
  • Maintainer takeover flags

Uses the OSV vulnerability database (updated daily) and CISA KEV catalog for actively exploited packages. Everything runs client-side — nothing leaves your browser.

MIT licensed, open source.

Official Links