CLI tool for auditing open-source packages: version, CVEs, downloads, and replacement validation

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

rdwj

These details have not been verified by PyPI

Project description

veripak

CLI tool for auditing open-source packages.

Install

pip install veripak

Setup

veripak config

Configures your LLM backend (Ollama, Anthropic, OpenAI, or vLLM self-hosted), Tavily API key, and optional NVD API key.

Usage

# Check a single package
veripak check django --ecosystem python

# Include versions in use for CVE matching
veripak check log4j --ecosystem java --versions 2.14.0,2.15.0

# Machine-readable JSON
veripak check openssl --ecosystem c --json

# Skip CVE check (faster)
veripak check requests --ecosystem python --no-cves

How It Works

                    +-------------------------+
                    |      PACKAGE INPUT      |
                    |  name, versions_in_use, |
                    |  urls, replacement_name |
                    +-----------+-------------+
                                |
                    +-----------v-------------+
                    |   E0: ECOSYSTEM AGENT   |
                    |                         |
                    |  1. LLM: "What is this?"|
                    |     -> "java" (instant)  |
                    |                         |
                    |  2. Validate: probe     |
                    |     Maven/PyPI/npm/etc  |
                    |     -> confirmed        |
                    |                         |
                    |  3. If no hit: Tavily   |
                    |     search to confirm   |
                    +-----------+-------------+
                                |
                  +-------------+-------------+
                  |       FORK (parallel)     |
                  |                           |
         +--------v--------+     +------------v-----------+
         |  TRACK A        |     |  TRACK B               |
         |                 |     |                        |
         |  N1: VERSION    |     |  EOL AGENT             |
         |  (registry API) |     |                        |
         |       |         |     |  Phase 1: Is version   |
         |       v         |     |    EOL?                |
         |  N2: DOWNLOAD   |     |  Phase 2: Is project   |
         |   discovery     |     |    dead?               |
         |       |         |     |  Phase 3: What's the   |
         |       v         |     |    replacement?        |
         |  N3: DOWNLOAD   |     |                        |
         |   validation    |     +------------+-----------+
         +--------+--------+                  |
                  +-------------+-------------+
                                |
                          JOIN  |
                                |
                  +-------------+-------------+
                  |       FORK (parallel)     |
                  |                           |
         +--------v--------+     +------------v-----------+
         |  TRACK C        |     |  TRACK D               |
         |                 |     |                        |
         |  N5: REPLACEMENT|     |  CVE AGENT             |
         |  VALIDATION     |     |  (agentic loop)        |
         |  (only if EOL   |     |                        |
         |   agent found   |     |  Uses: version from    |
         |   a replacement |     |  Track A, EOL status   |
         |   to validate)  |     |  from Track B          |
         +--------+--------+     +------------+-----------+
                  |                            |
                  +-------------+--------------+
                                |
                          JOIN  |
                                |
                    +-----------v-------------+
                    |  N6: SUMMARY AGENT      |
                    |                         |
                    |  All raw results +      |
                    |  deterministic guards + |
                    |  HITL flags propagated  |
                    +-----------+-------------+
                                |
                    +-----------v-------------+
                    |    FINAL RESULT JSON    |
                    +-------------------------+

Three specialized LLM agents (Ecosystem, EOL, CVE) replace fixed code paths, enabling reasoning about gaps and iterating on incomplete results. The agents use tools (registry probes, web search, GitHub API, advisory page fetching) and can flag fields for human review when data sources are inaccessible or signals are contradictory. Tracks A+B and C+D run in parallel via ThreadPoolExecutor for wall-clock speedup without async complexity.

Supported ecosystems

Ecosystem	Version source	CVE source
python	PyPI API	OSV.dev
javascript	npm registry	OSV.dev
java	Maven Central	OSV.dev
go	Go proxy	OSV.dev
dotnet	NuGet API	OSV.dev
perl	MetaCPAN	OSV.dev
php	Packagist	OSV.dev
c, cpp, system, desktop-app, driver	Tavily + LLM	NVD API

LLM backends

veripak uses a local or hosted LLM to extract version information from web search results for non-programmatic ecosystems (C, C++, system packages, etc.).

Supported backends: Ollama (default), Anthropic, OpenAI, vLLM (self-hosted).

Project details

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

rdwj

These details have not been verified by PyPI

Release history Release notifications | RSS feed

0.6.3

Apr 17, 2026

0.6.2

Apr 11, 2026

0.6.1

Apr 10, 2026

0.6.0

Apr 10, 2026

0.5.0

Apr 9, 2026

0.4.1

Mar 31, 2026

0.4.0

Mar 31, 2026

0.3.1

Mar 31, 2026

0.3.0

Mar 31, 2026

0.2.1

Feb 24, 2026

0.2.0

Feb 23, 2026

This version

0.1.0

Feb 22, 2026

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

veripak-0.1.0.tar.gz (72.8 kB view details)

Uploaded Feb 22, 2026 Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

The dropdown lists show the available interpreters, ABIs, and platforms. Enable javascript to be able to filter the list of wheel files.

veripak-0.1.0-py3-none-any.whl (69.6 kB view details)

Uploaded Feb 22, 2026 Python 3

File details

Details for the file veripak-0.1.0.tar.gz.

File metadata

Download URL: veripak-0.1.0.tar.gz
Upload date: Feb 22, 2026
Size: 72.8 kB
Tags: Source
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for veripak-0.1.0.tar.gz
Algorithm	Hash digest
SHA256	`64bba9572e133642f3583612116b795b5e37506373e8867aeb06bbb5a440f1f6`
MD5	`51b58b3834bb1b39a7a08a024744d13b`
BLAKE2b-256	`25de5db5bc18b2aedd3845e01663bdb9877d978dbac5a67ab3b08b884d3b31de`

See more details on using hashes here.

Provenance

The following attestation bundles were made for veripak-0.1.0.tar.gz:

Publisher: release.yml on rdwj/veripak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: veripak-0.1.0.tar.gz
- Subject digest: 64bba9572e133642f3583612116b795b5e37506373e8867aeb06bbb5a440f1f6
- Sigstore transparency entry: 976136226
- Sigstore integration time: Feb 22, 2026
Source repository:
- Permalink: rdwj/veripak@f08a824122c7565848947c847cb902bafe555ea1
- Branch / Tag: refs/tags/v0.1.0
- Owner: https://github.com/rdwj
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: release.yml@f08a824122c7565848947c847cb902bafe555ea1
- Trigger Event: push

File details

Details for the file veripak-0.1.0-py3-none-any.whl.

File metadata

Download URL: veripak-0.1.0-py3-none-any.whl
Upload date: Feb 22, 2026
Size: 69.6 kB
Tags: Python 3
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for veripak-0.1.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`0c7716e427429f212537db4ae7e84831bada2c2bd1b45fb4ef45b193b344cbe9`
MD5	`eb446f8ea613e484010e5b2b7fa74472`
BLAKE2b-256	`c296be858f8b38727bc74097a697e87a8dd7ee348e99b135c39acd7444754142`

See more details on using hashes here.

Provenance

The following attestation bundles were made for veripak-0.1.0-py3-none-any.whl:

Publisher: release.yml on rdwj/veripak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: veripak-0.1.0-py3-none-any.whl
- Subject digest: 0c7716e427429f212537db4ae7e84831bada2c2bd1b45fb4ef45b193b344cbe9
- Sigstore transparency entry: 976136227
- Sigstore integration time: Feb 22, 2026
Source repository:
- Permalink: rdwj/veripak@f08a824122c7565848947c847cb902bafe555ea1
- Branch / Tag: refs/tags/v0.1.0
- Owner: https://github.com/rdwj
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: release.yml@f08a824122c7565848947c847cb902bafe555ea1
- Trigger Event: push

veripak 0.1.0

Navigation

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Meta

Classifiers

Project description

veripak

Install

Setup

Usage

How It Works

Supported ecosystems

LLM backends

Project details

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Meta

Classifiers

Release history Release notifications | RSS feed

Download files

Source Distribution

Built Distribution

File details

File metadata

File hashes

Provenance

File details

File metadata

File hashes

Provenance