Pip-audit leverages the PyPI JSON API to compare dependencies against the Python Packaging Advisory Database – a repository of security advisories that collects much of its data from the NVD CVE feed.