primer docs

Pre-install security interceptor for package managers

primer sits in front of npm, pip, go get, and cargo add. Before any package reaches your system it is checked against the OSV vulnerability database. Clean installs pass through silently. Vulnerable ones are blocked with a prompt and a fix command.

Get started

New to primer? Three paths — pick the one that fits:

Supported ecosystems

EcosystemIntercepted commandsManifest / Lockfile
Pythonpip, uv, poetryrequirements.txt, pyproject.toml, uv.lock, poetry.lock
Node.jsnpm, yarn, pnpmpackage.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Gogo get, go modgo.mod, go.sum
Rustcargo addCargo.toml, Cargo.lock

How it works

  1. Intercept — the shim captures the package name before the real binary runs.
  2. Scan — primer queries OSV and checks the 24 h local cache.
  3. Decide — clean results pass through silently; findings prompt the user with a CVE summary and a ready-to-run fix command.
  4. Execute or block — continue with y, abort with N (exit code 1).

Use the navigation on the left to explore all topics, or visit the primer homepage for a full overview.