DepWarden is a free online vulnerability scanner for the open-source dependencies your software ships. Paste a package-lock.json, requirements.txt, pom.xml, go.sum (or any supported manifest), drop a lockfile, or point it at a public GitHub repo — and it tells you which components carry known vulnerabilities, which are actively exploited, and exactly how to fix them. No account, no installation, nothing uploaded but the manifest text.
Every package is matched against the full OSV mirror across all major ecosystems for known vulnerabilities (CVEs). Actively-exploited flaws are called out first using CISA Known Exploited Vulnerabilities (KEV), and each issue carries a FIRST EPSS exploit-probability score so you fix the small fraction of issues attackers actually use. The same pass catches supply-chain attacks — typosquatting and dependency confusion — that signature-based scanners miss entirely, plus risky licenses, deprecated packages and end-of-life release lines.
Most "free" scanners either want a sign-up, run only as a local CLI you have to install, or send your project to a vendor cloud. DepWarden runs in the browser in a session-isolated workspace. It's genuinely free and genuinely anonymous — useful when you just want to check a dependency tree without onboarding a platform.
The same engine runs as a zero-dependency CLI and a GitHub Action, so the check you ran by hand becomes a build gate: npx depwarden scan package-lock.json --fail-on high. Add diff mode to fail a pull request only when it introduces new risk.
A note on intent: DepWarden scans the open-source components inside your application (the dominant source of real breaches), not your live website's HTTP surface. For dependency and supply-chain risk it goes deeper than a generic web scanner — prioritising by exploitability and handing you a one-command fix. Related: software composition analysis, free SBOM scanner, free Snyk alternative.