av check
Pre-flight a package coordinate against AlertaVuln’s CVE intelligence and classify every match RED or YELLOW before the package ever lands in your tree.
Synopsis
Section titled “Synopsis”av check <ecosystem> <name> <version> [flags]The binary ships as alertavuln; av is the common alias - they are
interchangeable in every example.
Description
Section titled “Description”av check answers “is it safe to add this?” for a single package coordinate.
It is project-agnostic: no --project, no manifest, no local scan - just the
ecosystem, package name, and version you are about to install. You must be
logged in (av login) first.
<ecosystem> is matched case-insensitively against the ecosystems AlertaVuln
tracks: npm, nuget, pip, maven, go, cargo, composer,
rubygems. Anything else is treated as other.
The result has three parts:
- Matches - every CVE whose affected range covers the version, classified RED when the version is squarely inside the affected range, or YELLOW when the range only partially overlaps and the match cannot be confirmed either way. Versions a CVE does not affect produce no match at all. The table shows the CVE ID, severity, classification, and fixed version.
- Suggested safe version - the safest floor that clears every affected range matching your version, when one can be computed.
- Health - a best-effort maintenance snapshot (maintenance status, deprecation flag, last publish date), omitted when AlertaVuln holds no health data for the package.
With --json the command prints the raw result instead of a table. The JSON
includes fields the table omits: cvssScore, epssScore, isKev, and
affectedVersionRange per match, plus lastPublishedAt on health.
Options
Section titled “Options”| Flag | Default | Description |
|---|---|---|
--json |
false |
Output raw JSON instead of a table |
Examples
Section titled “Examples”Pre-flight a specific version before adding it - this reports 13 matching
CVEs for [email protected], plus the suggested safe version and health snapshot:
av check npm vite 6.0.0Compare candidate versions when picking an upgrade target:
av check npm vite 4.0.0 # 14 matching CVEsav check npm vite 5.0.0 # 17 matching CVEsav check npm vite 6.0.0 # 13 matching CVEsScript against the raw result - pull the RED matches with their fixed versions:
av check npm vite 6.0.0 --json | jq '.matches[] | select(.classification == "red") | {cveId, fixedVersion}'Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 |
Check completed - including when matching CVEs were found |
1 |
Command failed: not logged in, bad arguments, or an API error |
See also
Section titled “See also”av exposure- find which of your projects are exposed to a CVE