# List Vulnerable Packages **Description:** Retrieves a list of vulnerable packages, with options to filter the results based on various criteria such as package name, visibility, token role, and remediation status. {% hint style="warning" %} Note that because sometimes a new vulnerability comes out after a sealed version already exists, a newer sealed version is released. For example `ejs@2.7.4` had two vulnerabilities that were sealed in `ejs@2.7.4-sp1`. Another vulnerability was then discovered, which required the release of `ejs@2.7.4-sp2`. In that case, if `ejs@2.7.4-sp1` is being used by the tenant, since that package contains an open unpatched vulnerability, it will be returned by this endpoint. {% endhint %} **Path:** [https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable](https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable?limit=2) **Method:** GET **Authentication:** See detailed explanation [here](/apis.md#authentication). #### Request Parameters This endpoint accepts the following optional query parameters to filter the results:
Parameter NameTypeDescriptionAccepted Values
package_name_containsstringFilter packages that have this string in their name.Any string
is_hiddenbooleanFilter packages that are hidden (true) or visible (false).true, false
access_token_rolestringFilter packages according to the token used to detect them.Production, Development
fix_availabilitystringFilter packages by their remediation state.sealed, pending_deploy, seal_available, fix_in_preparation, generate_fix, unfixable
**Details for `fix_availability` values:** * `sealed`: The vulnerable package in this project was effectively remediated by using a safer sealed version. The sealed version was pulled at least once. * `pending_deploy`: The next time the vulnerable package is used in this project, it will be replaced with the safer sealed version by the CLI. * `seal_available`: The vulnerable package was detected in this project, and a safer sealed version is available for use. However, currently the CLI isn't configured to replace the vulnerable package with the sealed version. * `fix_in_preparation`: The vulnerable package was detected in this project, and a sealed version is now under development. * `generate_fix`: The vulnerable package was detected in this project, a sealed version is currently unavailable, but you can request one. * `unfixable`: The vulnerable package was detected in this project. However, a sealed version is unavailable and cannot be generated due to technical reasons. #### Response The API returns a paginated JSON array of objects, where each object represents a vulnerable package matching the applied filters. **Response Structure:** JSON ```json [ { "package_name": "string", "package_version": "string", "ecosystem": "string", "project_name": "string", "open_vulnerabilities_in_original_package": [ { "CVE": "string", "score": "float" } ], "fix_availability": "string", "replaced_by_sealed_version": "string", "open_vulnerabilities_in_sealed_version": [ { "CVE": "string", "score": "float" } ], "sealed_vulnerabilities_in_sealed_version": [ { "CVE": "string", "score": "float" } ], "last_seen": "string", "access_token_role": "string", "is_hidden": "boolean" } ] ``` **Response Fields:**
Field NameTypeDescription
package_namestringThe name of the package.
package_versionstringThe version of the package.
ecosystemstringThe ecosystem (e.g., npm, PyPI, Maven) of the package.
project_namestringThe name of the project where the package was detected.
open_vulnerabilities_in_original_packagearray of vulnerability objectsA list of vulnerabilities that are open in the original vulnerable package.
CVEstringVulnerability identifier (e.g., CVE-2023-1234).
scorefloatVulnerability risk score.
fix_availabilitystringThe remediation state of the vulnerable package. See accepted values in the Request Parameters section for detailed descriptions.
replaced_by_sealed_versionstringThe version of the sealed package that is currently being used as a replacement (if fix_availability is sealed, null otherwise).
open_vulnerabilities_in_sealed_versionarray of vulnerability objectsA list of vulnerabilities that are still open in the sealed version currently being used (a safer sealed version might be available).
sealed_vulnerabilities_in_sealed_versionarray of vulnerability objectsA list of vulnerabilities that were patched (sealed) in the sealed version currently being used.
last_seenstringThe date and time (ISO 8601 format) when the vulnerable package was last detected.
access_token_rolestringThe type of token (Production or Development) used to detect the vulnerable package.
is_hiddenbooleanIndicates whether the vulnerable package is hidden (true) or visible (false).
The vulnerability object is composed of two fields:
Field NameTypeDescription
CVEstring

Vulnerability identifier (e.g., CVE-2023-1234).

Note that if there is no public CVE identifier, then a GHSA identifier. If there's neither, then a Snyk ID.

scorefloatVulnerability risk score. Can be null, in which case the vulnerability is rated as Low severity.
#### Example Requests and Responses **1. Get all vulnerable packages:** **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response (Truncated):** JSON ```json [ { "package_name": "lodash", "package_version": "4.17.21", "ecosystem": "npm", "project_name": "MyWebApp", "open_vulnerabilities_in_original_package": [ { "CVE": "CVE-2021-23336", "score": 7.5 } ], "fix_availability": "seal_available", "replaced_by_sealed_version": null, "open_vulnerabilities_in_sealed_version": [], "sealed_vulnerabilities_in_sealed_version": [], "last_seen": "2025-05-10T14:30:00Z", "access_token_role": "Production", "is_hidden": false }, { "package_name": "spring-core", "package_version": "5.3.2", "ecosystem": "maven", "project_name": "InternalService", "open_vulnerabilities_in_original_package": [ { "CVE": "CVE-2022-22965", "score": 9.8 } ], "fix_availability": "unfixable", "replaced_by_sealed_version": null, "open_vulnerabilities_in_sealed_version": [], "sealed_vulnerabilities_in_sealed_version": [], "last_seen": "2025-05-09T10:00:00Z", "access_token_role": "Development", "is_hidden": false } ] ``` **2. Filter packages by name and fix availability:** **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable?package_name_contains=spring&fix_availability=sealed' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response:** JSON ```json [ { "package_name": "spring-webflux", "package_version": "5.3.2", "ecosystem": "maven", "project_name": "UserFacingApp", "open_vulnerabilities_in_original_package": [ { "CVE": "CVE-2021-22096", "score": 7.0 } ], "fix_availability": "sealed", "replaced_by_sealed_version": "spring-webflux-sealed-5.3.2-1", "open_vulnerabilities_in_sealed_version": [], "sealed_vulnerabilities_in_sealed_version": [ { "CVE": "CVE-2021-22096", "score": 7.0 } ], "last_seen": "2025-05-08T11:45:00Z", "access_token_role": "Production", "is_hidden": false } ] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sealsecurity.io/apis/list-vulnerable-packages.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.