FAQ

General

Is Vekt free?

Yes. The Free tier costs nothing and includes 50 scans per day, access to all 12 ecosystems, and full CLI and API access. An API key is required but free to obtain at kief.dev/vekt. Paid plans start at $9/mo for higher limits and additional features. See pricing for the full comparison.

Does the CLI work offline?

Partially. The CLI can parse lockfiles without a network connection, but it cannot check packages for findings without querying the threat intel database. If you run vekt scan . with no network access, you will get a network error.

Cached results from a previous scan are not persisted to disk by default. If you need offline capability, contact [email protected] -- Enterprise on-prem deployments can be configured with a local threat intel mirror.

Can I use Vekt with private registries?

Not yet. Vekt currently supports only public ecosystems listed in the supported lockfiles table. Private registry support is on the roadmap. If your organization depends on a private npm registry, private PyPI server, or similar, contact sales to discuss options.

Is my lockfile content stored?

No. Lockfile content submitted via the API or CLI is processed in memory and is not persisted. Vekt extracts package names and versions from your lockfile, queries the threat intel database with those coordinates, and discards the original content. The threat intel queries contain only package name, version, and ecosystem -- not your lockfile itself.

How do I report a false positive?

Two options:

Suppress locally: Add the package to your .vektignore file using vekt ignore add or by editing the file directly. See the CLI reference for the format.
Report to us: If you believe a finding is incorrect in the underlying threat database, open a report via kief.dev/vekt/feedback or email [email protected] with the package name, version, ecosystem, and advisory ID. We will investigate and, if confirmed, submit a correction upstream.

Findings

What is the difference between MALICIOUS, VULN, and HOLDER?

MALICIOUS means the package has been confirmed as intentionally malicious. This includes packages that steal credentials, contain backdoors, exfiltrate data, or execute attacker-controlled code on install or at runtime. These findings come from advisories with a MAL- prefix.

Action: Remove the package immediately. Treat the environment as potentially compromised.

VULN means the package has a known security vulnerability -- a CVE, GitHub Security Advisory (GHSA), or ecosystem-specific advisory (PYSEC, RUSTSEC, etc.). The vulnerability may or may not be exploitable in your context, but it represents a known security defect in the package.

Action: Review the advisory, assess exploitability, and update to a patched version when available.

HOLDER means the package is a security-placeholder -- an inert stub published by the registry to occupy a name that was formerly used by a malicious package. The placeholder itself is harmless, but its presence in your lockfile indicates a stale dependency that no longer provides any functionality.

Action: Remove the package from your dependencies. It provides nothing useful.

How is the trust score calculated?

The trust score is a multi-signal composite. It considers:

Vulnerability history -- number and severity of past advisories
Maintainer activity -- number of maintainers, publish cadence, most recent release
OpenSSF Scorecard -- automated checks across security practices (CI, branch protection, code review, dependency pinning, etc.)
Download trajectory -- sudden spikes in downloads relative to baseline (a common indicator of name-squatting campaigns)
Provenance attestations -- whether the package was published with a verifiable build provenance record (Sigstore, npm provenance, etc.)

The score is a weighted combination of these signals normalized to a 0-100 range. The exact weights are adjusted periodically as new signals are incorporated.

Why does a package show as HOLDER instead of MALICIOUS?

Some package names were used by malicious actors, then removed by the registry and replaced with an inert placeholder to prevent re-squatting. These placeholders are flagged by the same advisory system that flags malicious packages (using a MAL- advisory ID), but Vekt distinguishes them from active malicious packages because the installed code is harmless.

Examples include npm packages that shadow Node.js built-in names (e.g., fs, os, net) at 0.0.x-security versions. These are stubs with no code.

I see a finding for a package I don't directly depend on. Why?

Vekt scans lockfiles, which include all transitive dependencies -- not just your direct dependencies. A finding on a transitive dependency still represents a real risk. The fix is typically to update the direct dependency that pulls in the vulnerable transitive package, which allows the package manager to resolve to a non-vulnerable version.

Browser extension

What data does the browser extension send?

Only the package name, version, and ecosystem are sent to the Vekt API. The extension does not send page content, URLs, browsing history, or any other data. See browser extension privacy for full details.

Which browsers are supported?

Chrome, Chromium-based browsers (Edge, Brave, Arc, Opera), and Firefox. Safari support is not currently available.

Billing and accounts

What happens when I hit the scan limit?

On the Free tier, the API returns 429 Too Many Requests until the daily limit resets at midnight UTC. On paid plans without overage enabled, the same happens. On paid plans with overage enabled, scans continue at $0.005 per scan and are billed at the end of the billing period.

Can I set an overage cap?

Yes. In your account dashboard under Billing, you can set a monthly overage spend cap. Once the cap is reached, the API returns 429 responses until the billing period resets.

Do scans roll over if I don't use them all?

No. Unused scans from a billing period do not carry over to the next period.