LockGuard

Real-time vulnerability scanner for npm packages — detects vulnerable dependencies the moment a developer introduces them, not after the build.

Queries the OSV (Open Source Vulnerabilities) database and surfaces findings as inline diagnostics directly inside VS Code.

Features

• Scans package-lock.json on every save — no manual trigger needed
• Shows CVSS score, severity, description, and fix version for each CVE
• Severity tiering:
  • 🔴 CRITICAL / HIGH → red squiggle inline in package.json
  • 🟡 MEDIUM → status bar warning (never interrupts)
  • 🔵 LOW → dedicated panel in the Explorer sidebar
• One-click quick fix — "Update [package] to [version]" bumps the version in package.json
• Covers direct and transitive dependencies via lockfile-first scanning
• Incremental: only re-queries OSV for new or changed packages
• Disk cache with smart TTL — results survive VS Code restarts
• Auto-retry when network is restored

Requirements

• VS Code ^1.80.0
• Node.js ^18
• An npm project with a package-lock.json (run npm install first)

How It Works

package-lock.json saved
        ↓
   500ms debounce
        ↓
  Parse lockfile (v1/v2/v3)
        ↓
  Diff against cache
        ↓
  Query OSV /v1/querybatch  →  fetch full records /v1/vulns/{id}
        ↓
  Map results to Diagnostics
        ↓
  Publish to VS Code (squiggles / status bar / panel)

Project Structure

├── types.ts        Core data model (Package, Vulnerability, ScanResult)
├── parser.ts       package-lock.json parser — handles v1, v2, v3 formats
├── osv.ts          OSV API client — batch query + CVSS scoring
├── scanner.ts      Wires parser + OSV, applies filters, sorts by severity
├── server.ts       LSP server wrapping the scanner engine
├── extension.ts    VS Code extension entry point
├── diagnostics.ts  Maps ScanResult → LSP Diagnostic
└── quickfix.ts     Maps fixedVersion → VS Code CodeAction

License

MIT