Skip to main content

GitHub Security Advisories (GHSA)

GHSA is GitHub’s curated database of security advisories for open-source packages, with maintainer-reviewed affected-version ranges and fix versions.

GitHub Security Advisories (GHSA) is GitHub's curated database of vulnerabilities in open-source packages. Advisories originate from maintainers and security researchers, are reviewed by GitHub's security team, and carry their own GHSA identifiers alongside any assigned CVE.

How It Works

Each advisory names the affected package in its ecosystem's coordinates (npm, PyPI, Maven, and so on) with explicit affected-version ranges and the version that fixes the issue. The database is published openly, feeds GitHub's own Dependabot alerts, and is exported into the OSV schema so third-party scanners can consume it.

Why It Matters

For dependency scanning, the two facts that matter most are "which versions are affected" and "which version fixes it" — and package-native advisory databases like GHSA carry those far more consistently than the NVD's product-string records. That is why scanners union GHSA with OSV rather than relying on a single feed.

Related Terms

GHSA advisories flow into OSV, reference CVE identifiers, and complement the NVD's severity data.