Senior Engineers working with React Native since 2016. North America-based. No outsourcing.
Upload your lockfile and find out in 30 seconds. Free. No login required.
We support package-lock.json (npm) and yarn.lock. We'll analyze your entire dependency tree for known security vulnerabilities. Your file is processed securely and never stored.
Drag & drop your package-lock.json or yarn.lock here
or
Your lockfile is parsed in your browser. Only package names and versions are sent securely to check against public vulnerability databases. We never store your file.
Analyzing 0 dependencies...
This scan checks against public vulnerability databases and may not catch every issue. A full npm audit may reveal additional vulnerabilities.
Walk through your results with a senior React Native engineer. We'll tell you exactly what needs fixing and what can wait.
Not ready for a call? Get the free React Native security checklist — 7 areas to audit and harden, with a PDF you can share with your team.
We parse your entire package-lock.json or yarn.lock — not just direct dependencies. Transitive vulnerabilities (pulled in by packages you depend on) are the ones most teams miss.
We check every package version against the Open Source Vulnerability database and GitHub Advisory Database — the same sources that power npm audit.
We flag which vulnerabilities are in RN-specific packages, because those upgrades require iOS/Android compatibility testing that a standard npm audit fix won't handle.
You see which vulnerabilities are in packages you installed versus those pulled in by other packages. That distinction determines whether you can fix it yourself or need a coordinated upgrade.
Senior Engineers working with React Native since 2016. North America-based. No outsourcing.
See exactly which packages have known vulnerabilities and their severity levels.
Walk through your results with a React Native engineer. 30 minutes, no pitch.
We handle the upgrades while your team stays focused on building features.
No. Your lockfile is parsed entirely in your browser. Only the package names and exact version numbers are sent to our Cloudflare Worker for vulnerability lookup. The file itself never leaves your machine.
npm audit requires a local project and Node installed. This scanner works from just the lockfile — useful for sharing results with a manager or security team who doesn't have the codebase set up. The vulnerability database is the same source (OSV/GitHub Advisory).
npm audit counts vulnerabilities per install path, which can multiply counts for the same package installed in multiple places. We show a package-based view in "Affected Packages" so you know which unique packages to address.
We support package-lock.json (npm, lockfile v1/v2/v3) and yarn.lock (Yarn classic). For pnpm or Bun projects, run npm install once to generate a package-lock.json.
Likely yes. The OSV database is comprehensive. If you got 0 here, you're in good shape. Run npm audit locally to double-check, then consider a full security audit as part of your next sprint.
Yes to both. Upload your yarn.lock directly. For Expo managed workflow projects, the generated package-lock.json works fine. The scanner recognizes Expo and Expo-adjacent packages and flags them in the results.
Book a free 30-minute call with a senior React Native engineer. We'll walk through your results and tell you exactly what it takes to remediate them.
Book a Free Call →