Package Vulnerability Reporting#

Enhanced Advanced

Overview#

Package Manager automatically ingests security advisories from the OSV Project, a database of open source vulnerabilities. OSV vulnerability data is updated and published to the Posit Package Service multiple times each day, and Package Manager automatically synchronizes this data in the background every 10 minutes.

These vulnerabilities along with any associated NIST CVEs will be displayed on the relevant package pages. Packages with vulnerabilities can also be blocked via the blocklist with rspm create blocklist-rule --vulns.

See appendix for vulnerabilities configuration options.

For offline ("air-gapped") environments, vulnerability data can also be synchronized via the offline downloader. See rspm-offline-downloader get vulns.

For more information OSV's data sources, such as the RConsortium Advisory Database or PyPI Advisory Database, see the OSV data sources list.