1 · Pick a sample lockfile
Each sample is a faithful subset of a real lockfile we ship as a test fixture.
Show lockfile (npm package-lock.json v3 subset)
Pick a sample above to preview its lockfile.
2 · Scan output
This is exactly what pwned-deps check <lockfile> --offline would print, replayed character-by-character.
3 · Findings
—
scanned
—
malicious
—
high / critical
—
clean
Real data, simulated transport. All advisory IDs (
EXTRA-2018-0001,
EXTRA-2026-0001) and SHA-256s shown above are the actual entries shipped in
extras.json.
To verify against the live OSV.dev database, run the real CLI:
pipx install pwned-deps && pwned-deps check ./package-lock.json.