explaingit

endevco/osv-bloom

Analysis updated 2026-05-18

20RustAudience · developerComplexity · 3/5LicenseSetup · moderate

TLDR

A Rust tool that builds a tiny, auto refreshing bloom filter of known malicious npm packages for fast local safety checks.

Mindmap

mindmap
  root((repo))
    What it does
      Bloom filter of bad npm packages
      Auto refresh every 10 min
      Served via GitHub Pages
    Tech stack
      Rust
      GitHub Actions
      GitHub Pages
    Use cases
      Pre-install safety check
      Reduce live API calls
      Custom security tooling
    Audience
      Package manager developers
      Security engineers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Check every package in a lockfile against known malicious npm packages before installing

USE CASE 2

Reduce live API calls to OSV by filtering out the vast majority of safe packages locally

USE CASE 3

Build a custom install time security check on top of the published filter file

What is it built with?

RustGitHub ActionsGitHub Pages

How does it compare?

endevco/osv-bloomakitaonrails/ratatui-bubbleteadeepdiy/pdf2md
Stars202020
LanguageRustRustRust
Setup difficultymoderateeasyeasy
Complexity3/52/52/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Consumers just fetch the published filter.bin file, building it locally requires downloading a large OSV data archive.

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

osv-bloom is a small tool written in Rust that helps package managers quickly check whether an npm package might be malicious, without having to call a live security database on every single install. It works by building a compact data structure called a bloom filter, a compressed way to test whether an item is probably in a set, using entries pulled from OSV, an open vulnerability database, specifically its list of confirmed malicious npm packages. The filter file is rebuilt automatically every ten minutes by a scheduled GitHub Actions workflow, then published as a static file through GitHub Pages, so any tool can download it without needing its own server. A package manager can check every entry in a project's lockfile against this local filter almost instantly and for free, and only make a real network call to OSV's live API on the rare occasion the filter suggests a possible match, which the README says happens zero or one times per install in normal use given a false positive rate of about zero point one percent. The README is upfront about the tool's limits. Because it depends on OSV's own list of published malicious packages, it can only catch what OSV has already confirmed and published, and there is typically a lag of hours up to about a day between when a malicious package appears and when OSV lists it. During that window a package would be missed just as it would be if you queried OSV directly. The project also documents its internal file format in detail, including how packages are grouped by version ranges and how the filter's byte layout works, along with a small Rust code snippet showing how another program can read and check the filter file directly. At the current size of the malicious package list, the filter itself is under half a megabyte. It is released under the MIT license.

Copy-paste prompts

Prompt 1
Explain how a bloom filter is used in osv-bloom to detect malicious npm packages
Prompt 2
Show me how to read filter.bin using the osv-bloom Rust crate
Prompt 3
What is the detection lag for osv-bloom and why does it exist

Frequently asked questions

What is osv-bloom?

A Rust tool that builds a tiny, auto refreshing bloom filter of known malicious npm packages for fast local safety checks.

What language is osv-bloom written in?

Mainly Rust. The stack also includes Rust, GitHub Actions, GitHub Pages.

What license does osv-bloom use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is osv-bloom to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is osv-bloom for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.