SBOMFORGE

An honest software
bill of materials.

A CVE severity renders only when OSV.dev actually returned it. A version renders only when a lockfile actually pinned it. Everything else is blank: never a placeholder, never a guess. The same discipline a procurement team demands of a hardware BOM, ported to software.

Request access See the live demo

Live demo

Scanned against a real public estate: axios

1,359

components resolved

manifests parsed

real OSV advisories

guessed values

Every one of the 1,359 rows was parsed deterministically from a manifest or lockfile in the public axios/axios repo. Zero rows are model-sourced. The 9 advisories below were returned live by OSV.dev for the resolved versions: real GHSA IDs you can verify, not our opinion.

Vulnerabilities

Real advisories from OSV.dev — or blank, never guessed

Package	Resolved version	Advisories (GHSA)
`vite`	`5.4.21`	`GHSA-4w7w-66w2-5vf9`, `GHSA-fx2h-pf6j-xcff`, `GHSA-v6wh-96g9-6wx3`
`minimatch`	`4.2.1`	`GHSA-23c5-xmqv-rm74`, `GHSA-3ppc-4f35-3m26`, `GHSA-7r86-cg39-jmmj`
`serialize-javascript`	`6.0.0`	`GHSA-5c6j-r48x-rmvq`, `GHSA-76p7-773f-r4q5`, `GHSA-qj8w-gfj5-8c6v`
`js-yaml`	`4.1.0`	`GHSA-h67p-54hq-rp68`, `GHSA-mh29-5h37-fv8m`
`vite`	`8.0.9`	`GHSA-fx2h-pf6j-xcff`, `GHSA-v6wh-96g9-6wx3`
`brace-expansion`	`1.1.12`	`GHSA-f886-m6hf-6m8v`
`diff`	`5.0.0`	`GHSA-73rr-hh4g-fpgx`
`nanoid`	`3.3.1`	`GHSA-mwcw-c2x4-8c55`
`ws`	`8.20.1`	`GHSA-96hv-2xvq-fx4p`

The other 678 resolved package@versions queried returned no advisory from OSV.dev. They render nothing here. That restraint is the product.

Drift

Same package, divergent declared majors

Drift is reported as a fact — how many majors the declarations span — not a security severity. A version gap is a reproducibility risk, not a CVE.

Package	Eco	Declared majors	Gap	Where
`@types/node`	npm	12 / 20	8 majors apart	`cjs` 12.20.55, `esm` 20.19.39
`typescript`	npm	4 / 5	1 major apart	`package.json` ^5.9.3, `cjs` 4.9.5, `esm` 5.9.3

Lockfile gaps

Declared dependencies with no lockfile (unreproducible builds)

tests/smoke/bun — package.json present, no lockfile

The gate

Why you can trust every value

A fact is verified only when its source is authoritative — a resolved lockfile, a package manifest, a Dockerfile digest, the SPDX license list, or a live osv.dev / ghsa advisory. A security severity renders only when OSV actually returned an advisory for a resolved package@version — and is blank otherwise. A model's opinion about a severity, a license, or a "latest version" is never verified and never renders. A floating ^4.28.0 with no lockfile is not a version — it stays blank. Real or blank. Never a placeholder.