MCPcopy Index your code
hub / github.com/npmx-dev/npmx.dev / queryOsvBatch

Function queryOsvBatch

server/utils/dependency-analysis.ts:34–74  ·  view source on GitHub ↗

* Query OSV batch API to find which packages have vulnerabilities. * Returns indices of packages that have vulnerabilities (for follow-up detailed queries). * @see https://google.github.io/osv.dev/post-v1-querybatch/

(
  packages: PackageQueryInfo[],
)

Source from the content-addressed store, hash-verified

32 * @see https://google.github.io/osv.dev/post-v1-querybatch/
33 */
34async function queryOsvBatch(
35 packages: PackageQueryInfo[],
36): Promise<{ vulnerableIndices: number[]; failed: boolean }> {
37 if (packages.length === 0) return { vulnerableIndices: [], failed: false }
38
39 try {
40 const response = await $fetch<OsvBatchResponse>('https://api.osv.dev/v1/querybatch', {
41 method: 'POST',
42 body: {
43 queries: packages.map(pkg => ({
44 package: { name: pkg.name, ecosystem: 'npm' },
45 version: pkg.version,
46 })),
47 },
48 })
49
50 // Find indices of packages that have vulnerabilities
51 const vulnerableIndices: number[] = []
52 for (let i = 0; i < response.results.length; i++) {
53 const result = response.results[i]
54 if (result?.vulns && result.vulns.length > 0) {
55 vulnerableIndices.push(i)
56 }
57 // Warn if pagination token present (>1000 vulns for single query or >3000 total)
58 // This is extremely unlikely for npm packages but log for visibility
59 if (result?.next_page_token) {
60 // oxlint-disable-next-line no-console -- warn about paginated results
61 console.warn(
62 `[dep-analysis] OSV batch result has pagination token for package index ${i} ` +
63 `(${packages[i]?.name}@${packages[i]?.version}) - some vulnerabilities may be missing`,
64 )
65 }
66 }
67
68 return { vulnerableIndices, failed: false }
69 } catch (error) {
70 // oxlint-disable-next-line no-console -- log OSV API failures for debugging
71 console.warn(`[dep-analysis] OSV batch query failed:`, error)
72 return { vulnerableIndices: [], failed: true }
73 }
74}
75
76/**
77 * Query OSV for full vulnerability details for a single package.

Callers 1

Calls

no outgoing calls

Tested by

no test coverage detected