NodeSecure · fraxken · Mar 14, 2026 · Mar 12, 2026
diff --git a/.changeset/fuzzy-zebras-lose.md b/.changeset/fuzzy-zebras-lose.md
@@ -0,0 +1,6 @@
+---
+"@nodesecure/scanner": minor
+"@nodesecure/rc": minor
+---
+
+Update vulnera to v3.x.x
diff --git a/workspaces/rc/package.json b/workspaces/rc/package.json
@@ -47,7 +47,7 @@
   "dependencies": {
     "@nodesecure/js-x-ray": "14.0.0",
     "@nodesecure/npm-types": "^1.2.0",
-    "@nodesecure/vulnera": "^2.0.1",
+    "@nodesecure/vulnera": "3.0.0",
     "@openally/config": "^1.0.1",
     "@openally/result": "2.0.0",
     "lodash.merge": "^4.6.2",

diff --git a/workspaces/scanner/package.json b/workspaces/scanner/package.json
@@ -76,7 +76,7 @@
     "@nodesecure/tarball": "^3.5.0",
     "@nodesecure/tree-walker": "^2.5.0",
     "@nodesecure/utils": "^2.3.0",
-    "@nodesecure/vulnera": "^2.0.1",
+    "@nodesecure/vulnera": "3.0.0",
     "@openally/mutex": "^2.0.0",
     "fastest-levenshtein": "^1.0.16",
     "frequency-set": "^2.1.0",

diff --git a/workspaces/scanner/src/comparePayloads.ts b/workspaces/scanner/src/comparePayloads.ts
@@ -1,6 +1,6 @@
 // Import Third-party Dependencies
 import type { Warning } from "@nodesecure/js-x-ray";
-import * as Vulnera from "@nodesecure/vulnera";
+import type { StandardVulnerability } from "@nodesecure/vulnera";
 
 // Import Internal Dependencies
 import type {
@@ -33,7 +33,7 @@ export interface DependencyComparison {
   publishers: ArrayDiff<Publisher>;
   maintainers: ArrayDiff<Maintainer>;
   versions: VersionsComparisonResult;
-  vulnerabilities: ArrayDiff<Vulnera.StandardVulnerability>;
+  vulnerabilities: ArrayDiff<StandardVulnerability>;
 }
 
 export interface VersionsComparisonResult {

diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts
@@ -324,8 +324,8 @@ export async function depWalker(
   const isVulnHydratable = (strategy === "github-advisory" || strategy === "snyk")
     && isRemoteScanning;
   if (!isVulnHydratable) {
-    await hydratePayloadDependencies(dependencies as any, {
-      useStandardFormat: true,
+    await hydratePayloadDependencies(dependencies, {
+      useFormat: "Standard",
       path: location
     });
   }

diff --git a/workspaces/scanner/src/types.ts b/workspaces/scanner/src/types.ts
@@ -1,6 +1,6 @@
 // Import Third-party Dependencies
 import type { Warning } from "@nodesecure/js-x-ray";
-import * as Vulnera from "@nodesecure/vulnera";
+import type { StandardVulnerability, Kind } from "@nodesecure/vulnera";
 import type { PackageModuleType } from "@nodesecure/mama";
 
 import type { SpdxFileLicenseConformance } from "@nodesecure/conformance";
@@ -153,7 +153,7 @@ export interface Dependency {
    *
    * @see https://github.com/NodeSecure/vuln
    */
-  vulnerabilities: Vulnera.StandardVulnerability[];
+  vulnerabilities: StandardVulnerability[];
 }
 
 export type Dependencies = Record<string, Dependency>;
@@ -265,7 +265,7 @@ export interface Payload {
   /** Version of the scanner used to generate the result */
   scannerVersion: string;
   /** Vulnerability strategy name (npm, snyk, node) */
-  vulnerabilityStrategy: Vulnera.Kind;
+  vulnerabilityStrategy: Kind;
 
   metadata: Stats;
 }
@@ -325,7 +325,7 @@ export interface Options {
    *
    * @default NONE
    */
-  readonly vulnerabilityStrategy?: Vulnera.Kind;
+  readonly vulnerabilityStrategy?: Kind;
 
   /**
    * Analyze root package.