<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Prince</title>
    <description>The latest articles on DEV Community by Prince (@vrox).</description>
    <link>https://dev.to/vrox</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3838177%2Ff20fb179-e532-4561-a823-10d796d849ab.png</url>
      <title>DEV Community: Prince</title>
      <link>https://dev.to/vrox</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/vrox"/>
    <language>en</language>
    <item>
      <title>I built a CVE scanner for Python/Node with zero dependencies. Here's why that matters.</title>
      <dc:creator>Prince</dc:creator>
      <pubDate>Wed, 01 Jul 2026 10:21:41 +0000</pubDate>
      <link>https://dev.to/vrox/i-built-a-cve-scanner-for-pythonnode-with-zero-dependencies-heres-why-that-matters-4nog</link>
      <guid>https://dev.to/vrox/i-built-a-cve-scanner-for-pythonnode-with-zero-dependencies-heres-why-that-matters-4nog</guid>
      <description>&lt;p&gt;Most dependency scanners are themselves a dependency problem.&lt;br&gt;
You install safety or pip-audit and suddenly you're pulling in 12 packages just to check if your 3 packages are safe. That always bothered me.&lt;br&gt;
So I built Depheal. It scans your requirements.txt and package.json for known CVEs and abandoned packages — and it has zero dependencies. Pure Python stdlib. Nothing else.&lt;/p&gt;

&lt;p&gt;pip install depheal&lt;br&gt;
depwise scan .&lt;/p&gt;

&lt;p&gt;What it actually does&lt;br&gt;
Hits the OSV.dev API for real CVE data&lt;br&gt;
Detects abandoned packages (no updates in 3+ years, deprecated, etc.)&lt;br&gt;
Works on Python and Node projects&lt;br&gt;
--strict flag exits with code 1 — great for CI pipelines&lt;br&gt;
depwise why  explains what's wrong with a specific package&lt;br&gt;
Sample output from scanning my own project today:&lt;/p&gt;

&lt;p&gt;"&lt;a href="mailto:python-dotenv@1.0"&gt;python-dotenv@1.0&lt;/a&gt;   medium  1 CVE  fix: 1.1.2&lt;br&gt;
    python-dotenv: Symlink following in set_key allows arbitrary file overwrite&lt;/p&gt;

&lt;p&gt;1 vulnerable, 1 ok&lt;/p&gt;

&lt;p&gt;to fix:&lt;br&gt;
    pip install python-dotenv==1.1.2"&lt;/p&gt;

&lt;p&gt;Found a real CVE in my own codebase while testing. Caught in 3 seconds.&lt;/p&gt;

&lt;p&gt;The bug I fixed today&lt;br&gt;
Version 0.1.0 had an embarrassing flaw.&lt;br&gt;
If the network check failed — firewall blocking osv.dev, timeout, rate limit, anything — the tool silently reported every package as ok. No warning. Nothing.&lt;br&gt;
For a security tool that's the worst possible failure mode. You'd think you're safe when you're actually just unchecked.&lt;br&gt;
0.1.1 fixes this. Now it shows unknown (check failed) with an explicit message not to trust the result.&lt;br&gt;
Honest output matters more than clean output.&lt;/p&gt;

&lt;p&gt;Why zero dependencies?&lt;br&gt;
A scanner that introduces attack surface is a bad scanner. Every dependency you add is something that could have its own CVE tomorrow.&lt;br&gt;
Also I built this entirely from my laptop&lt;/p&gt;

&lt;p&gt;What's next&lt;br&gt;
GitHub Actions support&lt;br&gt;
Lock file support (poetry.lock, package-lock.json)&lt;br&gt;
More ecosystems (Go, Rust)&lt;br&gt;
If something's broken or missing, open an issue.&lt;br&gt;
GitHub: &lt;a href="https://github.com/hunzo1/depheal" rel="noopener noreferrer"&gt;https://github.com/hunzo1/depheal&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Thanks for reading the full post.&lt;/p&gt;

</description>
      <category>python</category>
      <category>security</category>
      <category>devops</category>
      <category>opensource</category>
    </item>
    <item>
      <title>I build my own coding language specifically for bug bounty hunters. You will find it on GitHub with setup guide inside README.md 
GitHub: GitHub.com/InterviewCopilot350/Vroxscript
I will upgrade it as per user's request and as well looking for developers</title>
      <dc:creator>Prince</dc:creator>
      <pubDate>Sun, 22 Mar 2026 09:53:10 +0000</pubDate>
      <link>https://dev.to/vrox/i-build-my-own-coding-language-specifically-for-bug-bounty-hunters-you-will-find-it-on-github-with-4jpp</link>
      <guid>https://dev.to/vrox/i-build-my-own-coding-language-specifically-for-bug-bounty-hunters-you-will-find-it-on-github-with-4jpp</guid>
      <description></description>
      <category>opensource</category>
      <category>programming</category>
      <category>security</category>
      <category>showdev</category>
    </item>
    <item>
      <title>I built my own programming language on Android with no laptop. Meet VroxScript.</title>
      <dc:creator>Prince</dc:creator>
      <pubDate>Sun, 22 Mar 2026 09:47:05 +0000</pubDate>
      <link>https://dev.to/vrox/i-built-my-own-programming-language-on-android-with-no-laptop-meet-vroxscript-3hc8</link>
      <guid>https://dev.to/vrox/i-built-my-own-programming-language-on-android-with-no-laptop-meet-vroxscript-3hc8</guid>
      <description>&lt;h2&gt;
  
  
  The Problem
&lt;/h2&gt;

&lt;p&gt;I started learning bug bounty hunting with nothing &lt;br&gt;
but an Android phone and Termux.&lt;/p&gt;

&lt;p&gt;Every time I needed to do recon I had to write &lt;br&gt;
50+ lines of Python just to scan subdomains and &lt;br&gt;
check alive hosts. It was frustrating.&lt;/p&gt;

&lt;p&gt;So I built my own language.&lt;/p&gt;

&lt;h2&gt;
  
  
  Meet VroxScript
&lt;/h2&gt;

&lt;p&gt;VroxScript is a security scripting language where &lt;br&gt;
full recon takes 7 lines instead of 200.&lt;/p&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;
vs
scan subdomains target.com &amp;gt;&amp;gt; subs.txt
alive scan_results &amp;gt;&amp;gt; alive.txt
ports target.com &amp;gt;&amp;gt; ports.txt
headers https://target.com &amp;gt;&amp;gt; headers.txt
fuzz https://target.com &amp;gt;&amp;gt; fuzz.txt
secrets fetch_body
report target.com &amp;gt;&amp;gt; report.txt
Built on Android
No laptop. No fancy setup. Just:
Android phone
Termux
Go compiler
Determination
How it works
VroxScript is interpreted by Go which makes it:
Fast — concurrent scanning with goroutines
Portable — single binary
Simple — no dependencies
Features
Subdomain scanning
Port scanning
Directory fuzzing
Security header checking
Secret detection
DNS lookup
Wayback Machine integration
Full report generation
Get it
GitHub: github.com/InterviewCopilot350/vroxscript
What I learned
Building a programming language taught me more
about networking, compilers and Go than any
tutorial ever could.
— Prince, India
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

</description>
      <category>security</category>
      <category>go</category>
      <category>programming</category>
      <category>opensource</category>
    </item>
  </channel>
</rss>
