<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: sean mears</title>
    <description>The latest articles on DEV Community by sean mears (@sean_mears_4911f109537acb).</description>
    <link>https://dev.to/sean_mears_4911f109537acb</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4023389%2F0002e03c-e742-488a-8078-e92963dd876d.jpg</url>
      <title>DEV Community: sean mears</title>
      <link>https://dev.to/sean_mears_4911f109537acb</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/sean_mears_4911f109537acb"/>
    <language>en</language>
    <item>
      <title>Stop Triaging. Start Fixing. Introducing VigilOps</title>
      <dc:creator>sean mears</dc:creator>
      <pubDate>Fri, 10 Jul 2026 03:16:11 +0000</pubDate>
      <link>https://dev.to/sean_mears_4911f109537acb/stop-triaging-start-fixing-introducing-vigilops-2hek</link>
      <guid>https://dev.to/sean_mears_4911f109537acb/stop-triaging-start-fixing-introducing-vigilops-2hek</guid>
      <description>&lt;p&gt;You've seen the alert. You've opened the PR. You've read the changelog. Then you realize: your code doesn't even call the vulnerable function.&lt;/p&gt;

&lt;p&gt;Every week. Hundreds of teams drowning in CVE notifications for packages sitting dormant in their node_modules — dependencies they pulled in years ago, bundled by a transitive library, and never actually executed. Meanwhile, the real vulnerabilities get buried.&lt;/p&gt;

&lt;p&gt;VigilOps is a free Node.js CLI that fixes this.&lt;/p&gt;

&lt;p&gt;How VigilOps Works&lt;br&gt;
VigilOps does three things:&lt;/p&gt;

&lt;p&gt;Scans dependencies against OSV.dev — the open vulnerability database used by GitHub, PyPI, and npm&lt;br&gt;
Runs static reachability analysis to filter out unreachable vulnerabilities (packages in your tree but never called by your code)&lt;br&gt;
Auto-opens a GitHub PR with the fix&lt;br&gt;
The result: you get one PR with one real vulnerability. Not a spreadsheet. Not a wall of Slack messages. A fix.&lt;/p&gt;

&lt;p&gt;Demo&lt;br&gt;
Here's a quick scan:&lt;/p&gt;

&lt;p&gt;npx vigilops scan examples/vigilops-demo-lodash&lt;br&gt;
And to see everything including suppressed (unreachable) deps:&lt;/p&gt;

&lt;p&gt;npx vigilops scan examples/vigilops-demo-express --all&lt;br&gt;
The --all flag shows what's in your dependency tree but not actually reachable from your code. That's what the noise looks like — and that's what VigilOps filters out.&lt;/p&gt;

&lt;p&gt;Why This Is Different&lt;br&gt;
Dependabot and Snyk scan your entire lockfile. They report every CVE in every package, regardless of whether your code ever touches the vulnerable surface. This creates alert fatigue that causes teams to eventually... stop reading.&lt;/p&gt;

&lt;p&gt;VigilOps inverts the model: only surface vulnerabilities in code you actually call.&lt;/p&gt;

&lt;p&gt;Dependabot: "Your project has 47 vulnerabilities" (but 40 are unreachable noise)&lt;br&gt;
VigilOps: "Your project has 1 reachable vulnerability. PR is ready."&lt;br&gt;
Quick Start&lt;br&gt;
npm install -g vigilops&lt;br&gt;
npx vigilops scan .&lt;br&gt;
Authenticate with GitHub:  &lt;a href="https://github.com/Vigilops/vigilops" rel="noopener noreferrer"&gt;https://github.com/Vigilops/vigilops&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;npx vigilops auth&lt;br&gt;
That's it. The first run will scan, analyze, and open a PR if there's a fixable reachable vulnerability.&lt;/p&gt;

&lt;p&gt;What's Included&lt;br&gt;
OSV.dev integration — covers npm, PyPI, Go, Rust, Ruby, and more&lt;br&gt;
Static analysis — identifies which packages are actually reachable from your entry points&lt;br&gt;
GitHub PR automation — opens a PR with a pinned safe version and a summary of what changed&lt;br&gt;
Suppress filters — if you want to see the full tree, use --all&lt;br&gt;
GitHub&lt;br&gt;
Questions, issues, contributions: &lt;a href="https://github.com/Vigilops/vigilops" rel="noopener noreferrer"&gt;https://github.com/Vigilops/vigilops&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Try It&lt;br&gt;
npx vigilops scan examples/vigilops-demo-lodash&lt;br&gt;
Start with a demo repo or point it at any Node.js project. If it finds nothing, you now have confidence in your dependency tree. If it finds something — you have a PR waiting.&lt;/p&gt;

&lt;p&gt;VigilOps is free and open source. Built for maintainers and small dev teams who've had enough of the noise&lt;/p&gt;

</description>
      <category>opensource</category>
      <category>node</category>
      <category>security</category>
      <category>devtools</category>
    </item>
    <item>
      <title>VigilOps Launch Article</title>
      <dc:creator>sean mears</dc:creator>
      <pubDate>Fri, 10 Jul 2026 03:11:17 +0000</pubDate>
      <link>https://dev.to/sean_mears_4911f109537acb/vigilops-launch-article-334d</link>
      <guid>https://dev.to/sean_mears_4911f109537acb/vigilops-launch-article-334d</guid>
      <description>&lt;h1&gt;
  
  
  Stop drowning in CVE noise — meet VigilOps
&lt;/h1&gt;

&lt;p&gt;Your &lt;code&gt;package.json&lt;/code&gt; has 347 transitive dependencies. Dependabot just filed 40 security alerts. You have no idea which ones actually matter.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;VigilOps&lt;/strong&gt; is a free Node.js CLI that solves this: it scans your dependencies for CVEs via OSV.dev, filters out the noise using static reachability analysis, and auto-opens GitHub PRs with the actual fix.&lt;/p&gt;




&lt;h2&gt;
  
  
  The problem isn't vulnerabilities — it's triage
&lt;/h2&gt;

&lt;p&gt;Dependency scanners flag everything in your tree. The CVE is real. The package version is correct. But does your code actually call the affected function?&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.helpnetsecurity.com/2024/09/16/open-source-software-dependencies/" rel="noopener noreferrer"&gt;Endor Labs' 2024 Dependency Management Report&lt;/a&gt; found that fewer than &lt;strong&gt;9.5%&lt;/strong&gt; of dependency vulnerabilities are reachable in a typical codebase. That's over 90% noise.&lt;/p&gt;

&lt;p&gt;Filippo Valsorda — former Google Go Security Team lead — put it bluntly when Dependabot opened thousands of PRs against repos that didn't even import the affected package:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;"Dependabot is a noise machine. It makes you feel like you're doing work, but you're actually discouraging more useful work."&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The security industry has a word for this: &lt;strong&gt;alert fatigue&lt;/strong&gt;. When every alert looks critical, none of them are.&lt;/p&gt;




&lt;h2&gt;
  
  
  What reachability filtering actually means
&lt;/h2&gt;

&lt;p&gt;VigilOps builds a static call graph of your application. When it finds a CVE, it asks: &lt;em&gt;"Is there a code path from this file to the vulnerable function?"&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;If the answer is no, VigilOps marks it as &lt;strong&gt;suppressed&lt;/strong&gt; — not because the CVE doesn't exist, but because your code can't trigger it.&lt;/p&gt;

&lt;p&gt;The tradeoff: scanners that assume static call graphs can miss dynamic &lt;code&gt;require(name)&lt;/code&gt; patterns where packages are loaded at runtime. That's real. For most codebases, the signal-to-noise improvement is worth it.&lt;/p&gt;




&lt;h2&gt;
  
  
  Try it right now
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Demo 1: Scan with reachability filtering (default)
&lt;/h3&gt;

&lt;p&gt;\////////////////////&lt;br&gt;
npx vigilops scan examples/vigilops-demo-lodash&lt;br&gt;
////////////////////&lt;/p&gt;

&lt;p&gt;This scans a demo project containing lodash with a known CVE. VigilOps analyzes the call graph and flags only the reachable vulnerability. Everything else is suppressed.&lt;/p&gt;

&lt;h3&gt;
  
  
  Demo 2: See everything — including suppressed CVEs
&lt;/h3&gt;

&lt;p&gt;\////////////////////&lt;br&gt;
npx vigilops scan examples/vigilops-demo-express --all&lt;br&gt;
////////////////////&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;--all&lt;/code&gt; flag shows the full picture: all CVEs including suppressed ones. This is useful when you need to audit your full dependency tree or when a compliance requirement asks for a complete vulnerability inventory.&lt;/p&gt;




&lt;h2&gt;
  
  
  How the auto-fix PR works
&lt;/h2&gt;

&lt;p&gt;When VigilOps finds a &lt;strong&gt;reachable&lt;/strong&gt; CVE with a patched version available, it can open a GitHub PR directly from the CLI:&lt;/p&gt;

&lt;p&gt;\////////////////////&lt;br&gt;
npx vigilops scan . --fix&lt;br&gt;
////////////////////&lt;/p&gt;

&lt;p&gt;It determines:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The exact upgrade path (accounting for transitive dependencies)&lt;/li&gt;
&lt;li&gt;Whether the upgrade breaks your lockfile&lt;/li&gt;
&lt;li&gt;The correct &lt;code&gt;npm install&lt;/code&gt; / &lt;code&gt;pnpm update&lt;/code&gt; command&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The PR lands in your repo with context: which CVE, which function, and what was changed. You review it, you merge it. No guessing.&lt;/p&gt;




&lt;h2&gt;
  
  
  How VigilOps compares to what you're using now
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Dependabot&lt;/th&gt;
&lt;th&gt;Snyk&lt;/th&gt;
&lt;th&gt;VigilOps&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Cost&lt;/td&gt;
&lt;td&gt;Free&lt;/td&gt;
&lt;td&gt;Paid tier&lt;/td&gt;
&lt;td&gt;Free, open source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE database&lt;/td&gt;
&lt;td&gt;GitHub DB&lt;/td&gt;
&lt;td&gt;Proprietary + NVD&lt;/td&gt;
&lt;td&gt;OSV.dev&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Reachability analysis&lt;/td&gt;
&lt;td&gt;None&lt;/td&gt;
&lt;td&gt;Partial (JS/Java)&lt;/td&gt;
&lt;td&gt;Full static call graph&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Filters unreachable CVEs&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Yes (paid tier)&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Auto-fix PRs&lt;/td&gt;
&lt;td&gt;Version bump only&lt;/td&gt;
&lt;td&gt;Version bump&lt;/td&gt;
&lt;td&gt;Context-aware fix&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Works offline&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Partial&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GitHub-only&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Dependabot flags a CVE because the package exists. VigilOps flags a CVE because your code can reach it.&lt;/p&gt;




&lt;h2&gt;
  
  
  Get started
&lt;/h2&gt;

&lt;p&gt;\////////////////////&lt;br&gt;
npm install -g vigilops&lt;br&gt;
////////////////////&lt;/p&gt;

&lt;p&gt;Or run it directly:&lt;/p&gt;

&lt;p&gt;\////////////////////&lt;br&gt;
npx vigilops scan .&lt;br&gt;
////////////////////&lt;/p&gt;

&lt;p&gt;For the auto-fix workflow, you'll need a GitHub token set as &lt;code&gt;VIGILOPS_GITHUB_TOKEN&lt;/code&gt; in your environment.&lt;/p&gt;




&lt;h2&gt;
  
  
  Call to action: we need your feedback
&lt;/h2&gt;

&lt;p&gt;This is an early-stage open-source tool. If you've been burned by Dependabot noise, or if you've tried tools like Snyk and found them too expensive for what you got — we want to hear from you.&lt;/p&gt;

&lt;p&gt;Specifically:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What's your current triage workflow for dependency CVEs?&lt;/li&gt;
&lt;li&gt;What would it take for you to trust a reachability filter over a raw CVE alert?&lt;/li&gt;
&lt;li&gt;What friction points have you hit with existing tools?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Open an issue at  &lt;a href="https://github.com/Vigilops/vigilops" rel="noopener noreferrer"&gt;https://github.com/Vigilops/vigilops&lt;/a&gt; or drop a commenthttps://github.com/Vigilops/vigilops below.&lt;/p&gt;

&lt;p&gt;The goal is simple: &lt;strong&gt;only alert you when your code can actually be exploited.&lt;/strong&gt; Everything else is noise, and noise has a cost.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;VigilOps is free and open source. It queries OSV.dev, which aggregates advisories from multiple sources — no single advisory database is perfect, and neither is any scanner. Use VigilOps as part of your triage workflow, not as a replacement for security judgment.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cli</category>
      <category>javascript</category>
      <category>node</category>
      <category>security</category>
    </item>
  </channel>
</rss>
