Lightweight Python Dependency Vulnerability Lookup Tool Built With An Agentic Coding Workflow

Issue 88 Edition 2026-03-29 4 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-04-13 03:54

Key takeaways

An HTML tool was built using Claude Code to look up Python dependency vulnerabilities via the OSV.dev API.
OSV.dev provides an open, CORS-enabled JSON API for its open source vulnerability database.
The tool accepts pasted pyproject.toml or requirements.txt content, or a GitHub repository name containing those files, and returns a list of vulnerabilities reported by the OSV.dev API.

An HTML tool was built using Claude Code to look up Python dependency vulnerabilities via the OSV.dev API.
The tool accepts pasted pyproject.toml or requirements.txt content, or a GitHub repository name containing those files, and returns a list of vulnerabilities reported by the OSV.dev API.

OSV.dev provides an open, CORS-enabled JSON API for its open source vulnerability database.

What are the OSV.dev API rate limits, availability guarantees, and any usage constraints that would affect sustained or automated use?
Does the tool resolve dependency versions accurately (including ranges) and how does it handle transitive dependencies versus only direct dependencies?
How does the tool authenticate to GitHub (if at all), and how does it behave under GitHub API limits or private repository access constraints?
What is the validation approach for the returned vulnerability list (for example, mapping correctness between packages/versions and OSV entries) and what are the expected false positive/negative modes?
What privacy and data-handling properties does the tool have when users paste dependency files, and is any data persisted or logged?

Low friction, browser based vulnerability lookups could increase practical usage of OSV.dev API for ad hoc dependency triage, implying potential growth in demand for open vulnerability data services.
Agentic coding workflows can rapidly produce functional security utilities, suggesting faster experimentation cycles for lightweight AppSec tooling built by small teams or individuals.

Published, stable OSV.dev API rate limits and availability guarantees that support sustained browser or automated usage.
Tool demonstrates accurate parsing of pyproject.toml and requirements.txt, including version ranges and clear handling of transitive dependencies.
Evidence of real user adoption such as repeated GitHub repo scans, saved workflows, or integration into developer routines.

OSV.dev API usage constraints, rate limits, or reliability issues that prevent sustained use in browser based tools.
High false positives or negatives due to incorrect version resolution or package mapping, reducing trust in results.
GitHub access limitations such as strict API limits or inability to handle private repos that make repo based scanning impractical.