Package Vulnerability Reporting#
Enhanced Advanced
Overview#
Package Manager reports known security vulnerabilities with CRAN, Bioconductor, and PyPI packages from the Open Source Vulnerabilities (OSV) database.
These vulnerabilities, along with any associated NIST CVEs, will be displayed on the relevant package pages. Packages with vulnerabilities can also be blocked automatically via the blocklist with rspm create blocklist-rule --vulns
.
The latest OSV vulnerability data is published to the Posit Package Service multiple times each day, and Package Manager will automatically synchronize this data in the background every 10 minutes.
For offline ("air-gapped") environments, vulnerability data can also be synchronized via the offline downloader. See the rspm-offline-downloader get vulns
command.
For more information about OSV data sources, such as the R Consortium Advisory Database or the PyPI Advisory Database, see the OSV data sources list.
Functionality by Product Tier#
At the Enhanced tier, only full system-wide vulnerability blocking is available via rspm create blocklist-rule --vulns
. If enabled, all packages and versions with any known vulnerability will be blocked.
At the Advanced tier, full package blocking is available, including applying vulnerability blocking to specific sources or repositories, or making exceptions to allow specific vulnerable packages to be installed.