"Latest" is not a remediation strategy. Newest can carry its own critical, the minimum-semver fix can land on a dead branch, and the hijacked release pushed to the registry last Tuesday is, by version number, an upgrade. Safe Harbour eliminates versions that fail any axis and ranks what survives by distance from the version you run — a patch bump beats a minor, a minor beats a major.
Four axes — clean on every one, or it isn't a harbour
Vulnerabilities
Every known CVE, GHSA and ecosystem advisory affecting the version, with max severity.
Exploits
Exploit maturity per version — PoC, weaponised, active, widespread — from ExploitDB, Metasploit, Nuclei, VulnCheck XDB and CrowdSec sightings.
Malware
Known-malicious releases flagged from OSSF Malicious Packages, OSV malware advisories and the Vulnetix VDB.
End of life
Whether the release line still receives fixes at all — a clean version on a dead branch is borrowed time.
Three presets: safest, latest, stable
safest is the nearest version clearing every known problem while minimising major-version churn — the production-hotfix answer. latest is the newest clean release. stable is a vulnerability-free release on a long-supported line. Autofix applies a preset automatically; full version analysis surfaces every safe version. The version-safety matrix in the console marks all three on every dependency page, live from the registry.
Every recommendation shows its working
Each version carries the signals behind its verdict: safeHarbourScore, exploit maturity (NONE → POC → WEAPONIZED → ACTIVE → WIDESPREAD), CISA/EU KEV membership, EPSS, CESS and CVSS. And because the Package Firewall evaluates installs against the same data, the version Safe Harbour recommends is one the firewall will let through — remediation and prevention agree.
Console, API, or your coding agent
The Packages console renders the full matrix; the VDB API returns safeHarbour.recommendedVersions with reasoning for any package; the /vulnetix:safe-version and /vulnetix:fix agent skills pick a safe pin capped by your --max-major-bump policy or propose the full fix. When a package has no Safe Harbour at all, Vulnetix pivots you to mitigations instead — the matching detection rules float to the top as your best available defence.