Analysis updated 2026-05-18
Check every package in a lockfile against known malicious npm packages before installing
Reduce live API calls to OSV by filtering out the vast majority of safe packages locally
Build a custom install time security check on top of the published filter file
| endevco/osv-bloom | akitaonrails/ratatui-bubbletea | deepdiy/pdf2md | |
|---|---|---|---|
| Stars | 20 | 20 | 20 |
| Language | Rust | Rust | Rust |
| Setup difficulty | moderate | easy | easy |
| Complexity | 3/5 | 2/5 | 2/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Consumers just fetch the published filter.bin file, building it locally requires downloading a large OSV data archive.
osv-bloom is a small tool written in Rust that helps package managers quickly check whether an npm package might be malicious, without having to call a live security database on every single install. It works by building a compact data structure called a bloom filter, a compressed way to test whether an item is probably in a set, using entries pulled from OSV, an open vulnerability database, specifically its list of confirmed malicious npm packages. The filter file is rebuilt automatically every ten minutes by a scheduled GitHub Actions workflow, then published as a static file through GitHub Pages, so any tool can download it without needing its own server. A package manager can check every entry in a project's lockfile against this local filter almost instantly and for free, and only make a real network call to OSV's live API on the rare occasion the filter suggests a possible match, which the README says happens zero or one times per install in normal use given a false positive rate of about zero point one percent. The README is upfront about the tool's limits. Because it depends on OSV's own list of published malicious packages, it can only catch what OSV has already confirmed and published, and there is typically a lag of hours up to about a day between when a malicious package appears and when OSV lists it. During that window a package would be missed just as it would be if you queried OSV directly. The project also documents its internal file format in detail, including how packages are grouped by version ranges and how the filter's byte layout works, along with a small Rust code snippet showing how another program can read and check the filter file directly. At the current size of the malicious package list, the filter itself is under half a megabyte. It is released under the MIT license.
A Rust tool that builds a tiny, auto refreshing bloom filter of known malicious npm packages for fast local safety checks.
Mainly Rust. The stack also includes Rust, GitHub Actions, GitHub Pages.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.