Most dependency scanners are themselves a dependency problem.
You install safety or pip-audit and suddenly you're pulling in 12 packages just to check if your 3 packages are safe. That always bothered me.
So I built Depheal. It scans your requirements.txt and package.json for known CVEs and abandoned packages — and it has zero dependencies. Pure Python stdlib. Nothing else.
pip install depheal
depwise scan .
What it actually does
Hits the OSV.dev API for real CVE data
Detects abandoned packages (no updates in 3+ years, deprecated, etc.)
Works on Python and Node projects
--strict flag exits with code 1 — great for CI pipelines
depwise why explains what's wrong with a specific package
Sample output from scanning my own project today:
"python-dotenv@1.0 medium 1 CVE fix: 1.1.2
python-dotenv: Symlink following in set_key allows arbitrary file overwrite
1 vulnerable, 1 ok
to fix:
pip install python-dotenv==1.1.2"
Found a real CVE in my own codebase while testing. Caught in 3 seconds.
The bug I fixed today
Version 0.1.0 had an embarrassing flaw.
If the network check failed — firewall blocking osv.dev, timeout, rate limit, anything — the tool silently reported every package as ok. No warning. Nothing.
For a security tool that's the worst possible failure mode. You'd think you're safe when you're actually just unchecked.
0.1.1 fixes this. Now it shows unknown (check failed) with an explicit message not to trust the result.
Honest output matters more than clean output.
Why zero dependencies?
A scanner that introduces attack surface is a bad scanner. Every dependency you add is something that could have its own CVE tomorrow.
Also I built this entirely from my laptop
What's next
GitHub Actions support
Lock file support (poetry.lock, package-lock.json)
More ecosystems (Go, Rust)
If something's broken or missing, open an issue.
GitHub: https://github.com/hunzo1/depheal
Thanks for reading the full post.
Top comments (1)
quick backstory since a few people asked — I built this entirely on my
phone, Termux on Android. no laptop.
the CVE find in the post was real, not staged. was testing the tool on
my own project and it flagged python-dotenv straight away. kind of a
funny moment building a scanner and immediately getting scanned yourself
anyway if anyone tries it and hits a bug, drop it here, I check this daily