A CVE severity renders only when OSV/GHSA actually returned it. A version renders only when a lockfile actually pinned it. Everything else is blank — never a placeholder, never a guess. The same discipline a procurement team demands of a hardware BOM, ported to software.
Every one of the 5,041 rows was parsed deterministically from a manifest or lockfile. Zero rows are model-sourced. 2 drifts are high-severity.
| Package | Eco | Majors | Severity | Where |
|---|---|---|---|---|
dotenv | npm | 10 / 16 / 17 | high | eval/package.json ^16.3.0, package.json ^17.3.1, pipeline/package.json ^16.3.1, streetmerchant/package.json ^10.0.0 |
puppeteer | npm | 21 / 24 / 9 | high | urlFetcher/package.json ^21.6.1, crawler-service/package.json ^21.6.1, package.json ^24.40.0, pipeline/package.json ^21.7.0, streetmerchant/package.json ^9.1.1 |
@types/jest | npm | 29 / 30 | medium | crawler-service/package.json ^30.0.0, pipeline/package.json ^29.5.11 |
@types/node | npm | 16 / 20 | medium | urlFetcher/package.json ^20.10.4, crawler-service/package.json ^20.10.4, eval/package.json ^20.0.0, functions/package.json ^20.0.0, package.json 20.19.37 |
@types/nodemailer | npm | 6 / 8 | medium | package.json ^8.0.0, streetmerchant/package.json ^6.4.4 |
@types/react | npm | 18 / 19 | medium | walter-ui/package.json ^19, package.json ^18.3.28 |
@types/react-dom | npm | 18 / 19 | medium | walter-ui/package.json ^19, package.json ^18 |
@types/uuid | npm | 10 / 9 | medium | package.json ^10.0.0, pipeline/package.json ^9.0.7 |
@vitejs/plugin-react | npm | 4 / 6 | medium | walter-ui/package.json ^4, package.json ^6.0.2 |
firebase-admin | npm | 12 / 13 | medium | functions/package.json ^13.10.0, package.json ^13.10, pipeline/package.json ^12.0.0 |
groq-sdk | npm | 0 / 1 | medium | eval/package.json ^0.5.0, package.json ^1.1.2 |
node | docker | 16 / 18 | medium | crawler-service/Dockerfile 18-slim, streetmerchant/Dockerfile 16.18.0-alpine3.16 |
nodemailer | npm | 6 / 8 | medium | package.json ^8.0.7, streetmerchant/package.json ^6.6.3 |
openai | npm | 4 / 6 | medium | eval/package.json ^4.0.0, package.json ^6.33.0, pipeline/package.json ^4.28.0 |
react | npm | 18 / 19 | medium | walter-ui/package.json ^19, package.json ^18.3.1 |
react-dom | npm | 18 / 19 | medium | walter-ui/package.json ^19, package.json ^18.3.1 |
typescript | npm | 4 / 5 | medium | walter-ui/package.json ^5, crawler-service/package.json ^5.3.3, eval/package.json ^5.3.0, functions/package.json ^5.0.0, package.json 5.9.3 |
uuid | npm | 13 / 9 | medium | package.json ^13.0.0, pipeline/package.json ^9.0.0 |
vite | npm | 6 / 8 | medium | walter-ui/package.json ^6, package.json ^8 |
| Runtime | Version | Image | Project | Status |
|---|---|---|---|---|
| node | 16.18 | node:16.18.0-alpine3.16 | tomciszek/tools/streetmerchant | EOL |
| bun | 1 | oven/bun:1-alpine | bomforge/main | supported |
| node | 18 | node:18-slim | bomforge/crawler-service | supported |
| python | 3.11 | python:3.11-slim | bomforge/stripe-api | supported |
| python | 3.12 | python:3.12-slim | tomciszek/data/catholicos | supported |
bomforge-app/crawler-service/functions/urlFetcher — declares deps, no lockfilebomforge-app/eval — declares deps, no lockfileosv, ghsa, nvd, a package registry, the
SPDX license list, a resolved lockfile, an image digest.
A model's opinion about a severity, a license, or a "latest version" is
never verified and never renders a badge. A floating
^4.28.0 with no lockfile is not a version — it stays blank.
Real or blank. Never a placeholder.