Security engineer in a box — for teams that don't have one

It finds the vuln, writes the fix, and opens the PR.

Connect a GitHub repo. deps-watch continuously scans your dependencies for known CVEs, reproduces the issue, and ships a tested, ready-to-merge fix PR with a plain-English explanation. One click and you're patched.

Try:

Free, no signup, no credit card. Scans any public repo in ~10 seconds.

From CVE to merged in one click

Other scanners hand you a 200-line report and walk away. deps-watch does the actual work.

1. Scan

We read your manifests and lockfiles, resolve every dependency, and cross-check against OSV, GHSA and CVE databases — continuously, not once.

2. Fix & test

For each vulnerable package we compute the minimal safe version bump, generate the patch, and run your test suite to confirm nothing breaks.

3. Open the PR

A ready-to-merge PR lands in your repo with the diff, the advisory, and a plain-English note any developer can approve. No security expertise required.

A scanner tells you that you're bleeding. deps-watch stops the bleeding.

Built for Indian dev agencies and SaaS founders who can't afford a ₹25L/yr security engineer — and shouldn't have to.

Ready-to-merge fix PRs, not just alerts
Tested patches — your CI confirms nothing breaks
Plain-English explanation for non-security devs
Continuous monitoring: daily on paid, weekly on free
Slack alerts the second a new CVE hits your stack

See pricing

fix(deps): bump lodash to 4.17.21 (CVE-2021-23337)

--- a/package.json
+++ b/package.json
   "dependencies": {
-    "lodash": "^4.17.20",
+    "lodash": "^4.17.21",
     "express": "^4.18.2"
   }

Why this is safe: lodash 4.17.20 is affected by CVE-2021-23337 (HIGH, command injection). This stays within the same major version and is a drop-in, non-breaking upgrade. Tests passed. ✅