How Stateward protects you against vulnerable & malicious dependencies
The threat
Every added or bumped dependency can pull in a known CVE or a freshly trojanised release. Most scanners alert on every transitive package, so the real risk drowns in noise.
How Stateward catches it
Stateward checks each added or changed dependency against OSV.dev advisories across npm, PyPI, crates.io, Maven, Go, RubyGems, Composer and NuGet, and — with the knowledge base on — tells you whether the vulnerable code is actually reachable from your project, not just present in the lockfile.
Recent advisories of this class
- mediumGHSA-HHPQ-7WG4-36JMCakePHP Authentication: Open redirect weakness via backslash bypass
- criticalGHSA-8FQ9-273G-6MRGAvo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
- mediumGHSA-X2QC-CMH9-F4HFDeno: Denial of service via non-ASCII bytes in WebSocket response headers
- criticalGHSA-2F55-G35J-5JMFHAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
Check your own repo for this
Connect a repo and Stateward reviews your next pull request — read-only, free for individuals and open source.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.