Python Dependency Vulnerability Lookup Tool Pattern

Issue 88 Edition 2026-03-29 4 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-04-12 10:21

Key takeaways

An HTML tool was built using Claude Code to look up Python dependency vulnerabilities via the OSV.dev API.
OSV.dev provides an open, CORS-enabled JSON API for its open source vulnerability database.
The tool accepts pasted pyproject.toml or requirements.txt content or a GitHub repo name containing those files and returns reported vulnerabilities from the OSV.dev API.

An HTML tool was built using Claude Code to look up Python dependency vulnerabilities via the OSV.dev API.
The tool accepts pasted pyproject.toml or requirements.txt content or a GitHub repo name containing those files and returns reported vulnerabilities from the OSV.dev API.

OSV.dev provides an open, CORS-enabled JSON API for its open source vulnerability database.

Where is the HTML tool hosted (URL) and what is its current availability/uptime?
Does the tool perform dependency resolution (including transitive dependencies) or only scan the direct dependencies listed in the pasted manifests?
What normalization and matching logic does the tool use to map dependency names/versions from pyproject.toml or requirements.txt to OSV identifiers?
What are the OSV.dev API operational constraints relevant to this use (rate limits, latency, availability guarantees, and error-handling expectations)?
What privacy/security considerations exist when sending dependency manifests or repo identifiers to OSV.dev from a browser-based tool?

CORS-enabled OSV.dev JSON API supports browser-based vulnerability checks, lowering integration friction for security tooling that scans Python dependency manifests.
A simple HTML client that accepts pyproject.toml, requirements.txt, or a GitHub repo reference suggests demand for lightweight, no-backend dependency vulnerability lookups.
If the tool only scans direct dependencies, it signals a gap for solutions that resolve and scan transitive dependencies while maintaining a client-side experience.

Public URL and sustained uptime for the HTML tool, plus evidence of ongoing availability and usage, would support real adoption beyond a prototype.
Clear documentation that the tool resolves transitive dependencies or explicitly limits to direct dependencies, and how it maps names and versions to OSV queries.
Published details on OSV.dev API constraints for this workflow such as rate limits, latency, and error handling, enabling reliable client-side operation.

Tool is not publicly hosted, frequently unavailable, or positioned as a demo only, reducing confidence in meaningful usage or ecosystem impact.
OSV.dev API limitations make client-side scanning impractical at scale, such as restrictive rate limits, high latency, or unstable availability for this use.
Unresolved privacy or security concerns with sending manifests or repo identifiers from a browser, leading to avoidance or removal of the client-side approach.