Real-time, shift-left dependency vulnerability scanning for package.json files, powered by the OSV.dev open-source vulnerability database.
Features
Inline diagnostics — vulnerabilities appear as squiggly underlines directly on affected dependency version strings in package.json.
Hover details — hover over any flagged dependency to see CVE IDs, severity, and a summary of each known vulnerability.
Quick fixes — a lightbulb code action lets you jump to the OSV advisory page for each finding.
Debounced scanning — scans are automatically triggered as you type, with a configurable debounce interval to avoid unnecessary API calls.
LRU cache — results are cached in memory so repeated lookups for the same package/version are instant.
Requirements
VS Code 1.85 or later.
An internet connection to reach the OSV.dev API (https://api.osv.dev).
Extension Settings
Setting
Default
Description
fmd.debounceMs
750
Milliseconds to wait after the last edit before triggering a scan. Range: 100–10 000.
fmd.cacheSize
1000
Maximum number of package/version results to retain in the in-memory LRU cache. Range: 50–20 000.
Commands
Command
Description
Flaw Mining Disorder: Rescan Active package.json
Force an immediate rescan of the currently open package.json.
Flaw Mining Disorder: Show Logs
Open the extension's output channel for diagnostic logging.
How It Works
When you open or edit a package.json file, the extension parses it with a JSON AST parser to locate the exact character range of each dependency version string.
Each name@version pair is queried against the OSV batch API.
Any returned vulnerabilities are mapped back to their source position and published as VS Code diagnostics.
Results are cached per name@version in an LRU cache so subsequent edits don't re-query clean packages.
Privacy
All queries are made directly from your machine to https://api.osv.dev. No data is sent anywhere else.