DepShield

• 

  screenshot of the results page showing the full report with the risk score ring, severity badges, and vulnerability table

The Problem

On March 31, 2026, a North Korean threat actor compromised axios — the most downloaded JavaScript HTTP library with over 100 million weekly downloads — and silently deployed a backdoor across developer machines and CI/CD pipelines worldwide. Before that, the Shai-Hulud worm tore through the npm ecosystem in September 2025, self-replicating across 180+ packages. Mini Shai-Hulud hit SAP's developer ecosystem in April 2026.

Every one of these attacks had one thing in common: developers had no idea what was running inside their npm install.

What I Built

DepShield is a dependency security audit tool that gives every developer instant visibility into what's hiding in their JavaScript dependencies — before it costs them.

Paste your package.json or package-lock.json. DepShield scans every dependency against the OSV.dev vulnerability database (Google's open source vulnerability intelligence platform), then generates a full security report with:

• 🔴 Risk score (0–100) with animated visual ring indicator
• 📊 Severity breakdown — Critical, High, Medium, Low counts
• 📋 Per-vulnerability details — CVE/GHSA ID, description, and exact safe version to upgrade to
• 🔧 Actionable fix commands — copy-paste npm install commands to remediate every vulnerable package
• 🔗 Shareable report links — encode your full scan into a URL to share with your team or security officer
• 🔒 100% client-side — your code never leaves your browser

How I Built It with MeDo

I built DepShield entirely through MeDo's conversational interface using Advanced Mode. I described the full product spec — tech stack, layout, user flow, API integration, and visual design — in a single detailed prompt. MeDo's multi-agent system generated the full-stack application in one pass, including the OSV.dev API integration via a custom plugin.

From there I iterated through MeDo's chat interface to:

• Fix the JSON parser to handle all package.json and package-lock.json formats (v1, v2, v3)
• Implement a two-stage API fetch — batch query followed by parallel detail fetching using Promise.all across 20+ vulnerabilities simultaneously
• Add severity badge styling, animated SVG risk score ring, grouped collapsible vulnerability sections, and base64-encoded shareable reports

The Most Impressive Thing MeDo Generated

The two-stage OSV API integration with parallel fetching — from a single conversational prompt, MeDo wired up a custom plugin, handled the querybatch response, fired parallel GET /v1/vulns/{id} requests for every vulnerability ID returned, parsed severity/summary/fix fields from each response, and rendered everything into a live report with progress indicators. That would have taken me hours to write manually.

Challenges

• OSV querybatch only returns IDs, not full details — had to design a two-stage fetch pattern and communicate that clearly to MeDo through iterative prompting
• Version string parsing — package-lock.json v2/v3 uses node_modules/axios as keys; the parser needed to handle all three lockfile formats plus raw dependency objects
• Severity mapping — OSV uses MODERATE while the UI needed MEDIUM; MAL- prefixed IDs (confirmed malware) needed to always resolve to CRITICAL regardless of other fields

What I Learned

MeDo rewards precision. The quality of the output is directly proportional to how clearly you specify the problem — not just what to build, but the exact user flow, the API request/response shape, the edge cases, and the visual tone. Treat MeDo like a senior engineer: give it a proper spec, not just a vague idea.

What's Next

• GitHub Actions integration — scan on every PR automatically
• Support for requirements.txt (Python), go.mod, Cargo.toml
• Email report delivery
• Badge generator for README files showing dependency health score

Built With

• javascript
• medo
• osv.dev-api
• react
• shadcn/ui
• tailwind-css
• typescript
• vite