Why is that vulnerable package in your lockfile?

Pharos walks yarn.lock or package-lock.json upward from a known vulnerable package@version and tells you which top-level dependency owns the fix.

Get startedView on GitHub
$ npx pharos-cli@latest qs@6.13.0 --path ./my-app

  ./package-lock.json
  Found qs@6.13.0

  Owner: express, requested as ^4.18.0

  Chain
    qs@6.13.0
      -> body-parser@1.20.3
      -> express@4.21.2

  Fix path
    body-parser >= 1.20.4
    express    >= 5.0.0
    → Recommended: update express to >= 5.0.0

Start here

Getting started

Pharos explains why a known vulnerable JavaScript package version is in your lockfile, and finds the package that owns the fix.

Understanding output

Read chains, owners, fix paths, and recommendations.

JSON reports

Wire Pharos into CI with the structured `--json` output.

CLI reference

Every flag and example in one place.

Supported lockfiles

What Pharos can parse today.

Pass any exact package@version reported by Dependabot, Snyk, npm audit, yarn audit, or a CVE. Pharos walks the lockfile, traces the chain, and tells you which top-level dependency owns the fix.

Run without installing

npx pharos-cli@latest request@2.88.2 --path ./my-app

The package argument must include an exact version:

pharos <package>@<version>

Install globally

npm install -g pharos-cli
pharos request@2.88.2 --path ./my-app

Choose a project

By default, Pharos scans the current directory:

pharos minimist@1.2.5

Pass --path to scan another project:

pharos qs@6.13.0 --path ./apps/web

Use --recursive when you want to scan multiple nested projects:

pharos semver@7.0.0 --path ~/projects --recursive

What to do next

After Pharos finds a chain, read the owner and fix path in the output. The owner is the top-level dependency declaration in the sibling package.json that likely needs to change.

Not a vulnerability scanner

Pharos doesn't maintain an advisory database. Use yarn audit, npm audit, Dependabot, or your existing scanner to find vulnerabilities, then hand the exact package@version to Pharos to explain and remediate.

Next
Understanding output