Upload your lock files and get instant, actionable alerts whenever a known vulnerability affects your dependencies — delivered straight to the tools your team already uses.
Features
A simple, focused tool that does one thing well — keeps you informed about vulnerabilities in your supply chain.
Upload Cargo.lock, package-lock.json,
poetry.lock, and more. We parse and match every
dependency against the OSV dataset.
Vulnerability data sourced directly from the OSV database — Google's open, high-quality, machine-readable advisory format covering all major ecosystems.
Route alerts to Slack, Discord, Telegram, or any webhook. Configure per-project channels so the right team hears the right alert.
Organize lock files into projects and teams. Set severity thresholds and mute noise — only get paged for what actually matters.
OSV data is synced continuously from Google Cloud Storage. The moment a new advisory lands, we re-scan your manifests automatically.
Sign in with GitHub or Google OAuth. No password to manage, no friction — get your first scan running in under a minute.
How it works
No agents, no CI plugins required. Just upload your lock file and tell us where to send alerts.
Sign in with GitHub or Google and create a project for your repository or team. Projects keep your lock files and notification settings organized.
Drop in Cargo.lock, package-lock.json,
poetry.lock, or any other supported manifest.
We extract every pinned dependency automatically.
Connect a Slack workspace, Discord server, Telegram bot, or any webhook URL. Choose severity thresholds — critical only, or everything.
We scan your dependencies against the latest OSV data on every upload and whenever new advisories are published. You get alerted instantly — no manual checks needed.
Notification channels
Connect OSV Notifier to the tools you already use. No context switching, no dashboards to check.
Free to get started. No credit card required. Upload your first lock file in under a minute.
Get started for free