Product Announcement · 3 June 2026

Safe Harbour is Live: Upgrade to Safe, Not Just to New

Vulnetix now scores every published version of a dependency across four axes — vulnerabilities, exploits, malware and end-of-life — and recommends the closest version that is clean on all of them. Not the newest. The nearest safe one. Works from the package name alone: no source upload, from the Console, the API, or your agent.

See Safe Patching

"Latest" is not a remediation strategy. Newest can carry its own critical, the minimum-semver fix can land on a dead branch, and the hijacked release pushed to the registry last Tuesday is, by version number, an upgrade. Safe Harbour eliminates versions that fail any axis and ranks what survives by distance from the version you run — a patch bump beats a minor, a minor beats a major.

Four axes — clean on every one, or it isn't a harbour

Vulnerabilities

Every known CVE, GHSA and ecosystem advisory affecting the version, with max severity.

Exploits

Exploit maturity per version — PoC, weaponised, active, widespread — from ExploitDB, Metasploit, Nuclei, VulnCheck XDB and CrowdSec sightings.

Malware

Known-malicious releases flagged from OSSF Malicious Packages, OSV malware advisories and the Vulnetix VDB.

End of life

Whether the release line still receives fixes at all — a clean version on a dead branch is borrowed time.

Three presets: safest, latest, stable

safest is the nearest version clearing every known problem while minimising major-version churn — the production-hotfix answer. latest is the newest clean release. stable is a vulnerability-free release on a long-supported line. Autofix applies a preset automatically; full version analysis surfaces every safe version. The version-safety matrix in the console marks all three on every dependency page, live from the registry.

Every recommendation shows its working

Each version carries the signals behind its verdict: safeHarbourScore, exploit maturity (NONE → POC → WEAPONIZED → ACTIVE → WIDESPREAD), CISA/EU KEV membership, EPSS, CESS and CVSS. And because the Package Firewall evaluates installs against the same data, the version Safe Harbour recommends is one the firewall will let through — remediation and prevention agree.

Console, API, or your coding agent

The Packages console renders the full matrix; the VDB API returns safeHarbour.recommendedVersions with reasoning for any package; the /vulnetix:safe-version and /vulnetix:fix agent skills pick a safe pin capped by your --max-major-bump policy or propose the full fix. When a package has no Safe Harbour at all, Vulnetix pivots you to mitigations instead — the matching detection rules float to the top as your best available defence.

Get a free API key →