Who Touched My Packages?

Features

Multi-Ecosystem

Supports npm (package.json) and Python (requirements.txt) with more coming soon

Remote Repository Scanning

Clone and scan any Git repository directly without manual setup

Multiple Data Sources

Queries OSV for comprehensive vulnerability coverage

Provenance Verification

Automatically checks for SLSA provenance attestations to verify package integrity

Beautiful UI

Colorful, emoji-rich terminal output with automatic light/dark mode detection

CI/CD Ready

JSON output and exit codes make it perfect for automation pipelines

Severity Filtering

Filter vulnerabilities by severity level (CRITICAL, HIGH, MEDIUM, LOW)

Recursive Scanning

Automatically finds all dependency files in your project tree

Fast & Efficient

Parallel API requests and smart caching for quick scans

Extensible

Easy to add new data sources and package managers

Quick Start

Install globally:

npm install -g who-touched-my-packages

Scan your project:

wtmp

That’s it! The tool will recursively scan your project and report any vulnerabilities 🎉

Example Output

🛡️ Who Touched My Packages?
  Scanning dependencies for vulnerabilities...

✔ Found 2 dependency file(s)
✔ Parsed 16 package(s)

════════════════════════════════════════════════════════════
🛡️ Security Audit Summary
════════════════════════════════════════════════════════════

Scanned Packages: 16
Total Vulnerabilities: 3

🔴 Critical: 1
🟠 High: 2

════════════════════════════════════════════════════════════

Why Who Touched My Packages?

• Beautiful UX: Security tools should be pleasant to use
• Multiple Sources: Don’t rely on a single vulnerability database
• Extensible: Easy to add new data sources and package managers
• Fast: Optimized for large monorepos
• Free: No API keys or paid plans required

Next Steps

Installation

Install the tool and run your first scan

Quick Start

Learn the basics and scan your first project

Provenance Verification

Understand how provenance checking works and why it matters