# OSS Package Search
{% hint style="warning" %}
**Available for Enterprise Tier Only**
{% endhint %}
OSS Package Search lets you quickly identify where specific open-source packages appear across your organization — from pull requests and repositories to developer machines. When a package is found to be compromised or vulnerable, you can use this feature to understand your blast radius and take targeted remediation steps.
You can search at the organization level or across your entire tenant, depending on your scope of access.
### **Supported ecosystems**
OSS Package Search supports the following package ecosystems:
* **npm** — the Node.js package registry
* **PyPI** — the Python Package Index
Select the ecosystem from the **Package ecosystem** toggle at the top of the search form.
### Search Scope
OSS Package Search covers two surfaces:
* **CI/CD and Repositories** — identifies where a package was introduced across pull requests and default branches. Results link directly to the PR where the dependency was added, so you can revert or patch it quickly.
* **Developer Machines** — identifies where a package is installed on developer endpoints, including packages installed by AI coding agents and tools. For each match, the search returns the exact file path and package manager used, which you can use to build an MDM or EDR remediation script and verify removal after cleanup.
### Supported Files
OSS Package Search inspects the following dependency and lock files when indexing packages from CI/CD pipelines, repositories, and developer machines.
#### **npm ecosystem**
| Package manager | Files |
| --------------- | --------------------------------- |
| npm | `package-lock.json` |
| Yarn | `yarn.lock` |
| pnpm | `pnpm-lock.yaml`, `pnpm-lock.yml` |
| Bun | `bun.lock` |
#### **PyPI ecosystem**
| Package manager | Files |
| --------------- | ---------------------------------------------------------------------------------------------------------- |
| pip | `requirements*.txt`, `requirements*.in`, files inside a `requirements/` directory, `setup.py`, `setup.cfg` |
| Poetry | `poetry.lock` |
| uv | `uv.lock` |
| Pipenv | `Pipfile.lock` |
| Conda | `environment.yml`, `environment.yaml` |
| PyLock | `pylock.toml`, `pylock..toml` |
### How to Use OSS Package Search
**Step 1: Navigate to StepSecurity Dashboard** → OSS Package Search
**Step 2: Configure your search filters**
* **Search Scope** — choose **Organization Search** to search within your current organization, or **Tenant Search** to search across all organizations in your tenant.
* **Package ecosystem** — choose **npm** or **PyPI**.
* **Search Type** — choose **Custom Search** to specify packages manually, or **Compromised Packages Search** to focus on known compromised or vulnerable packages.
* **Repository** — optionally narrow results to a specific repository.
* **Seen In** — filter by where the package was detected. Options include *All (PRs, Default Branch & Dev Machines)*, or a specific surface.
* **Time Range** — optionally select a date range to limit results.
**Step 3: Add the packages you want to search for.**
Enter a package name and, if applicable, one or more specific versions. Click **Add Package** to add more packages to the same search. Results can be exported as CSV.
**Step 4: Run the search and review results.**
Matching results show the default branches, PRs and developer machines where the package was found. Click any result to view details — for CI/CD results this links to the corresponding pull request; for developer machine results this shows the install path and package manager.
**Step 5: Remediate**
* For CI/CD findings, revert the affected PR or patch the dependency directly.
* For developer machine findings, use the file path information to build a removal script via your MDM or EDR tooling. After running the script, rescan the device to confirm the package is no longer present.
**Follow this interactive demo to see how this works:**
{% embed url="" %}
{% hint style="info" %}
For a complete guide to preventing, detecting, and responding to npm attacks, see [NPM Supply Chain Security](https://docs.stepsecurity.io/oss-supply-chain-security/)
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.stepsecurity.io/packages/oss-package-search.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.