Skip to content
| Marketplace
Sign in
Visual Studio Code>Linters>Flaw Mining DisorderNew to Visual Studio Code? Get it now.
Flaw Mining Disorder

Flaw Mining Disorder

Fatih Mahmut Dundar

|
1 install
| (0) | Free
Real-time, shift-left dependency vulnerability scanning for package.json powered by OSV.dev.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Flaw Mining Disorder

Real-time, shift-left dependency vulnerability scanning for package.json files, powered by the OSV.dev open-source vulnerability database.

Features

  • Inline diagnostics — vulnerabilities appear as squiggly underlines directly on affected dependency version strings in package.json.
  • Hover details — hover over any flagged dependency to see CVE IDs, severity, and a summary of each known vulnerability.
  • Quick fixes — a lightbulb code action lets you jump to the OSV advisory page for each finding.
  • Debounced scanning — scans are automatically triggered as you type, with a configurable debounce interval to avoid unnecessary API calls.
  • LRU cache — results are cached in memory so repeated lookups for the same package/version are instant.

Requirements

  • VS Code 1.85 or later.
  • An internet connection to reach the OSV.dev API (https://api.osv.dev).

Extension Settings

Setting Default Description
fmd.debounceMs 750 Milliseconds to wait after the last edit before triggering a scan. Range: 100–10 000.
fmd.cacheSize 1000 Maximum number of package/version results to retain in the in-memory LRU cache. Range: 50–20 000.

Commands

Command Description
Flaw Mining Disorder: Rescan Active package.json Force an immediate rescan of the currently open package.json.
Flaw Mining Disorder: Show Logs Open the extension's output channel for diagnostic logging.

How It Works

  1. When you open or edit a package.json file, the extension parses it with a JSON AST parser to locate the exact character range of each dependency version string.
  2. Each name@version pair is queried against the OSV batch API.
  3. Any returned vulnerabilities are mapped back to their source position and published as VS Code diagnostics.
  4. Results are cached per name@version in an LRU cache so subsequent edits don't re-query clean packages.

Privacy

All queries are made directly from your machine to https://api.osv.dev. No data is sent anywhere else.

License

MIT

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft