

PackageFix
PackageFix is a free browser-based dependency security fixer. Paste your manifest file and get back a fixed version with every vulnerable package patched — ready to download in one click.
This project is no longer actively maintained. The live site has been taken offline. The code remains available under the MIT license for anyone who wishes to fork and self-host.
Features
Properties
- Privacy focused
Features
- Ad-free
- Dark Mode
- No registration required
- No Tracking
- Package Manager
PackageFix News & Activities
Recent activities
- POX updated PackageFix
- REMC0 commented on PackageFix
Is no longer actively maintained.
Proscan added PackageFix as alternative to Proscan AppSec- metriclogic added PackageFix
metriclogic added PackageFix as alternative to Snyk, Dependabot, Mend Renovate and Libraries.io
PackageFix information
What is PackageFix?
PackageFix is a free browser-based dependency security fixer. Paste your manifest file and get back a fixed version with every vulnerable package patched — ready to download in one click.
Supports 7 ecosystems: npm, PyPI, Ruby, PHP, Go, Rust, and Java/Maven. Also accepts lockfiles for transitive dependency scanning (package-lock.json, poetry.lock, Gemfile.lock, Cargo.lock, composer.lock).
Beyond CVE scanning, PackageFix detects supply chain attacks that npm audit misses:
- Glassworm/Unicode injection in manifest scripts
- Typosquatting (one character off a popular package)
- Zombie packages (unmaintained but widely depended on)
- Suspicious packages (dormant then suddenly updated)
- Build script danger (curl/wget in postinstall/build.rs)
- Unpinned version warnings (* and latest)
- Maintainer takeover flags
Uses the OSV vulnerability database (updated daily) and CISA KEV catalog for actively exploited packages. Everything runs client-side — nothing leaves your browser.
MIT licensed, open source.







Comments and Reviews
Is no longer actively maintained.