The Debuggix team ran a security experiment across 100 public GitHub repositories. We used 9 engines running in parallel: Semgrep, Bandit, Gitleaks, TruffleHog, Trivy, ESLint, Hadolint, Checkov, and OSV-Scanner.
The goal was to collect raw data on the actual state of dependency security. Not marketing claims. Not vendor reports. Just findings from real codebases.
Here is what the data showed.
Finding One: Dependency CVEs Are Universal
Every single repository scanned had at least one dependency CVE.
Not most. Not 99 percent. All 100 repositories.
This included projects with hundreds of thousands of stars. Projects maintained by full-time security teams. Projects that had been scanned before. Projects built entirely by AI three weeks ago.
The most common vulnerable packages were protobufjs, xmldom, axios, and Hono.
Protobufjs has over 4 million weekly downloads on npm. The CVEs found relate to prototype pollution and denial of service. Prototype pollution can lead to remote code execution in some contexts.
Xmldom has been deprecated but remains in thousands of projects. The CVEs found include XML external entity injection, which can lead to local file disclosure on the server.
Axios has over 20 million weekly downloads. The CVEs found include server-side request forgery and insecure redirect handling. An attacker can use SSRF to access internal services not exposed to the internet.
Hono has grown rapidly among edge compute developers. The CVEs found include request smuggling and improper input validation.
Finding Two: The Severity Distribution
Across all 100 repositories, the Debuggix scan found:
- Critical severity CVEs: 12 percent of findings
- High severity CVEs: 28 percent of findings
- Medium severity CVEs: 45 percent of findings
- Low severity CVEs: 15 percent of findings
Critical and high severity findings appeared in 73 percent of repositories. These are vulnerabilities that can lead to remote code execution, data breach, or complete system compromise.
The remaining 27 percent of repositories had only medium and low severity findings. These are still vulnerabilities. They still need fixing. But they are less likely to be exploited immediately.
Finding Three: Maintainers Did Not Know
When Debuggix approached maintainers with a list of specific CVEs affecting their projects, the response was consistent.
Almost every maintainer said some version of "I did not know that package was vulnerable."
This is not a failure of individual developers. It is a failure of the ecosystem. Developers cannot fix what they do not know exists. And most developers have never run a dependency scan.
The difference between a secure project and an insecure project is not code quality. It is awareness.
What You Can Run Right Now
You do not need a paid tool to check your dependencies. These commands are free and run locally.
For npm:
npm audit
For Yarn:
yarn audit
For Python:
pip-audit
For Rust:
cargo audit
For Go:
govulncheck
Each command takes less than 30 seconds. Run one on your project today.
How Debuggix Scans Dependencies
Debuggix runs three dependency scanning engines in parallel: Trivy, OSV-Scanner, and an integration with Snyk's open source vulnerability database.
Trivy excels at container scanning but also covers language-specific dependencies. OSV-Scanner uses Google's open source vulnerability database, which includes CVEs from the GitHub Advisory Database and RustSec. The Snyk integration adds coverage from their commercial database.
Running multiple engines catches what single engines miss. One database might have a CVE that another does not. One engine might flag a vulnerability that another classifies as low priority.
The result is a comprehensive dependency report showing every known CVE affecting your project, with severity ratings and suggested version upgrades.
Debuggix is free for open source repositories. Paid plans for private repos start at $29 per month.
Try it: debuggix.space