Vulnprune icon Vp
Get Started

Prune your Dependabot Alerts

Stop wasting time on unreachable vulnerabilities. Focus on the risk that really matters.


Get Started

False-positives are costing you money

Every Dependabot alert looks important, but most of them are unreachable. Be it from a function that isn't ever called, hardcoded safe parameters or a multitude of other reasons, some vulnerabilities can never actually be exploited.

Despite this, developers waste hours triaging and fixing these issues leading to increased costs, missed features, delayed releases, and frustrated engineers.

Vulnprune cuts through the noise by automatically dismissing false positives in JavaScript and TypeScript packages, so your security team sees what truly matters and your developers get back to building. No manual steps, we do all the work while you sit back and relax.

Features

Fire and forget

Fire and Forget

Fire and Forget

Install it once and walk away. Vulnprune runs in the background without dashboards, configs, or manual steps.

Auditable changes

Auditable Changes

Auditable Changes

Every dismissed alert includes a detailed explanation with links to the exact rules applied, so you always know why.

Reduce noise

Reduce Noise

Reduce Noise

Cut through the clutter and focus only on the vulnerabilities that genuinely put your project at risk.

Save time

Save Time

Save Time

Stop spending hours triaging false positives. Get your team back to shipping features that matter.

How it works

We read the dependency lockfiles in your codebase, and with it create a dependency graph, marking the paths to the vulnerable component.

Step 1 – dependency graph

We compare it with pre-defined rules that we created, and prune the paths that match with the rule.

Step 2 – rule matching

If all the paths are pruned, the alert is closed.

Step 3 – alert closed

Frequently asked questions

Will it hide real vulnerabilities?
If an alert is deemed a unreachable and closed, Vulnprune will leave a comment in the alert, with links to the rules used to reach that conclusion. Furthermore, if a rule has been deemed inaccurate by us and deleted, all alerts closed by it will automatically reopen.
Which languages and package ecosystems are supported?
Currently Vulnprune supports JavaScript and TypeScript projects using npm, yarn, or pnpm. Support for additional ecosystems is on the roadmap.
Does it work with private repositories?
Yes!
What languages are supported?
Currently focused on JavaScript and TypeScript. More coming soon. Do you want a specific language to be supported? Please leave a message in our contact section, so that we can prioritize it if enough people ask for it!