About
The Julia Security Advisory Database is the canonical source of security advisories for packages in the Julia ecosystem. It covers all packages registered in the General registry, the Julia standard libraries, and Julia itself.
Goals
Be the database of security advisories for the Julia package ecosystem
Provide structure for authoring, reviewing, and maintaining advisories
Export advisories in the standard OSV format for downstream consumers
Search and import applicable advisories from upstream databases (NVD, EUVD, GitHub)
Advisory Format
Each advisory is a Markdown file with TOML frontmatter, identified by a JLSEC-YYYY-NNN identifier. Fields follow the OSV schema with a few ergonomic shorthands:
The
summaryis the header immediately following the frontmatter (if one exists).The
detailsare the remainder of the file.The
affectedpackages are stored much more succinctly as an array of tables with each package's name (pkg) and vulnerableranges. The ranges themselves are vectors of strings, using GitHub's vulnerable version range (VVR) syntax.Timestamps are stored directly as TOML datetimes, not as strings.
OSV's
credits,references, andseveritiesare all canonically arrays of tables with multiple fields, but JLSEC supports specifying typical entries as a single string:Credits can use a shorthand
"Author Name <author@example.com>"for the common cases where no credit type is assigned and there is only one email-based contact methodReferences can contain URLs directly; these become
WEBreference typesSeverities can contain the CVSS string itself
Any additional fields whose names start with
jlsec_are placed intodatabase_specific(with the prefix removed).
Contributing
Anyone can submit or update advisories via pull request. See the contributing guide for details. For disclosure of serious issues, please email security@julialang.org.
Data Export
All advisories are automatically exported to OSV-compliant JSON on the generated/osv branch. Pull request CI validates the conversion before merging.