Package Vulnerability Reporting#

Enhanced Advanced

Overview#

Package Manager reports known security vulnerabilities with CRAN, Bioconductor, and PyPI packages from the Open Source Vulnerabilities (OSV) database.

These vulnerabilities, along with any associated NIST CVEs, will be displayed on the relevant package pages. Packages with vulnerabilities can also be blocked automatically via the blocklist with rspm create blocklist-rule --vulns.

The latest OSV vulnerability data is published to the Posit Package Service multiple times each day, and Package Manager will automatically synchronize this data in the background every 10 minutes.

For offline ("air-gapped") environments, vulnerability data can also be synchronized via the offline downloader. See the rspm-offline-downloader get vulns command.

For more information about OSV data sources, such as the R Consortium Advisory Database or the PyPI Advisory Database, see the OSV data sources list.