Skip to content

av check

Pre-flight a package coordinate against AlertaVuln’s CVE intelligence and classify every match RED or YELLOW before the package ever lands in your tree.

Terminal window
av check <ecosystem> <name> <version> [flags]

The binary ships as alertavuln; av is the common alias - they are interchangeable in every example.

av check answers “is it safe to add this?” for a single package coordinate. It is project-agnostic: no --project, no manifest, no local scan - just the ecosystem, package name, and version you are about to install. You must be logged in (av login) first.

<ecosystem> is matched case-insensitively against the ecosystems AlertaVuln tracks: npm, nuget, pip, maven, go, cargo, composer, rubygems. Anything else is treated as other.

The result has three parts:

  • Matches - every CVE whose affected range covers the version, classified RED when the version is squarely inside the affected range, or YELLOW when the range only partially overlaps and the match cannot be confirmed either way. Versions a CVE does not affect produce no match at all. The table shows the CVE ID, severity, classification, and fixed version.
  • Suggested safe version - the safest floor that clears every affected range matching your version, when one can be computed.
  • Health - a best-effort maintenance snapshot (maintenance status, deprecation flag, last publish date), omitted when AlertaVuln holds no health data for the package.

With --json the command prints the raw result instead of a table. The JSON includes fields the table omits: cvssScore, epssScore, isKev, and affectedVersionRange per match, plus lastPublishedAt on health.

Flag Default Description
--json false Output raw JSON instead of a table

Pre-flight a specific version before adding it - this reports 13 matching CVEs for [email protected], plus the suggested safe version and health snapshot:

Terminal window
av check npm vite 6.0.0

Compare candidate versions when picking an upgrade target:

Terminal window
av check npm vite 4.0.0 # 14 matching CVEs
av check npm vite 5.0.0 # 17 matching CVEs
av check npm vite 6.0.0 # 13 matching CVEs

Script against the raw result - pull the RED matches with their fixed versions:

Terminal window
av check npm vite 6.0.0 --json | jq '.matches[] | select(.classification == "red") | {cveId, fixedVersion}'
Code Meaning
0 Check completed - including when matching CVEs were found
1 Command failed: not logged in, bad arguments, or an API error
  • av exposure - find which of your projects are exposed to a CVE