About global security advisories

Global security advisories live in the Advisory Database, a collection of CVEs and -originated advisories affecting the open source world. You can contribute to improving global security advisories.

About global security advisories

There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see About repository security advisories.

Global security advisories are grouped into these categories: -reviewed advisories, unreviewed advisories, and malware advisories.

  • -reviewed advisories are security vulnerabilities that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information.
  • Unreviewed advisories are security vulnerabilities that we publish automatically into the Advisory Database, directly from the National Vulnerability Database feed.
  • Malware advisories relate to vulnerabilities caused by malware, and are security advisories that publishes automatically into the Advisory Database, directly from information provided by the npm security team. Malware advisories are exclusive to the npm ecosystem. doesn't edit or accept community contributions on these advisories.

Note

Dependabot doesn't generate Dependabot alerts for unreviewed and malware advisories.

For more information about the Advisory Database, see About the Advisory database.

Security advisories in the Advisory Database at .com/advisories are considered global advisories. Anyone can suggest improvements on any global security advisory in the Advisory Database. You can edit or add any detail, including additionally affected ecosystems, severity level or description of who is impacted. The Security Lab curation team will review the submitted improvements and publish them onto the Advisory Database if accepted.

Every repository advisory is reviewed by the Security Lab curation team for consideration as a global advisory. We publish security advisories for any of the ecosystems supported by the dependency graph to the Advisory Database on .com/advisories.

You can access any advisory in the Advisory Database. For more information, see Browsing security advisories in the Advisory Database.

You can suggest improvements to any advisory in the Advisory Database. For more information, see Editing security advisories in the Advisory Database.