Paste your manifest. Get back the fixed files.
Free, browser-based dependency security fixer. No login. No GitHub connection. No CLI. Everything runs in your browser.
Paste your manifest file. PackageFix:
- Scans every dependency against the live OSV vulnerability database
- Flags packages on the CISA Known Exploited Vulnerabilities (KEV) catalog
- Shows a side-by-side diff of exactly what changes
- Generates a fixed manifest + changelog .zip to download in one click
- Detects suspicious package updates that may indicate a compromised maintainer account
| Ecosystem | File |
|---|---|
| Node.js | package.json |
| Python | requirements.txt |
| Ruby | Gemfile |
| PHP | composer.json |
- Drop your manifest file (and optionally a lockfile)
- PackageFix queries the OSV database and CISA KEV catalog live
- Download a fixed manifest, changelog, and Renovate config in one click
No data is stored. Only package names and version ranges are sent to public APIs — the same requests any package manager makes. Your code never leaves your browser.
Most dependency tools require a GitHub connection, a CLI install, or an account. PackageFix runs entirely in your browser — nothing is installed, nothing is connected, nothing is written to your system. This makes it usable in environments where third-party integrations or autonomous agents are restricted by security policy.
| Tool | Domain | What it fixes |
|---|---|---|
| ConfigClarity | configclarity.dev | Server & DevOps |
| DomainPreflight | domainpreflight.dev | DNS & Email |
| PackageFix | packagefix.dev | Dependencies |
Looking for a Snyk Advisor, david-dm, Greenkeeper, Gemnasium, requires.io, or bundle-audit replacement? See packagefix.dev/alternatives
MIT — use it, fork it, build on it.
