npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@arcis/node

v1.4.0

Published

One line of code protects your Node.js app against 45+ security flaws at runtime — XSS, SQL injection, CSRF, SSRF, HPP, rate limiting, bot detection, and more. Zero dependencies. Supply chain attack scanner included.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gagan_cmgagan_cm

Keywords

securityexpressmiddlewarexsssql-injectionnosql-injectionrate-limitsanitizevalidationcsrfhelmetnodejsarcisssrfopen-redirectcorsprototype-pollutioncommand-injectionpath-traversalsecurity-headersinput-validationweb-security

Readme

@arcis/node

npm version License: MIT CI

One-line security middleware for Node.js.

Part of the Arcis ecosystem with implementations for Node.js, Python, and Go.

17 attack vectors handled. 970+ tests. Zero dependencies.

Installation

npm install @arcis/node

Quick Start

With Express (built-in adapter)

import { arcis } from '@arcis/node';

app.use(arcis());
// That's it. Sanitization, rate limiting, and security headers are on.

With any framework (Fastify, Koa, Hono, etc.)

The core sanitization, validation, and logging functions have zero framework dependencies. Use them directly in any Node.js project:

import {
  sanitizeString,
  sanitizeObject,
  detectXss,
  detectSql,
  detectCommandInjection,
  detectPathTraversal,
  createSafeLogger,
  createRedactor,
} from '@arcis/node';

// Sanitize user input — works anywhere
const clean = sanitizeString(userInput);
const cleanBody = sanitizeObject(requestBody);

// Detect threats without sanitizing
if (detectXss(value)) { /* reject */ }
if (detectSql(value)) { /* reject */ }

// Safe logging — no framework needed
const logger = createSafeLogger();
logger.info('User login', { email, password: 'will-be-redacted' });

Writing your own middleware is straightforward. Here's a Fastify example:

import { sanitizeObject } from '@arcis/node';

fastify.addHook('preHandler', async (request, reply) => {
  if (request.body) request.body = sanitizeObject(request.body);
  if (request.query) request.query = sanitizeObject(request.query);
});

Koa:

import { sanitizeObject } from '@arcis/node';

app.use(async (ctx, next) => {
  if (ctx.request.body) ctx.request.body = sanitizeObject(ctx.request.body);
  if (ctx.query) ctx.query = sanitizeObject(ctx.query);
  await next();
});

Hono:

import { sanitizeObject } from '@arcis/node';

app.use('*', async (c, next) => {
  const body = await c.req.json().catch(() => null);
  if (body) c.set('sanitizedBody', sanitizeObject(body));
  await next();
});

What It Protects Against

| Category | What it stops | |----------|--------------| | XSS | Script injection, event handlers, javascript: URIs, SVG/iframe payloads | | SQL Injection | Keywords, boolean logic, comments, time-based blind (SLEEP, BENCHMARK) | | NoSQL Injection | MongoDB operators ($gt, $where, $regex, 25+ blocked operators) | | Command Injection | Shell metacharacters, dangerous commands, redirections | | Path Traversal | ../, encoded variants (%2e%2e), null byte injection | | Prototype Pollution | __proto__, constructor, __defineGetter__, 7 keys blocked (case-insensitive) | | HTTP Header Injection | CRLF injection, response splitting, null bytes | | SSRF | Private IPs, loopback, link-local, cloud metadata, dangerous protocols | | Open Redirect | Absolute URLs, javascript:, protocol-relative, backslash/control char bypass | | Error Leakage | Stack traces, DB errors, connection strings, internal IPs scrubbed in production | | CORS Misconfiguration | Whitelist-based origins, null origin blocked, Vary: Origin enforced | | Cookie Security | HttpOnly, Secure, SameSite enforced on all cookies | | Rate Limiting | Per-IP, sliding window, token bucket, in-memory or Redis, X-RateLimit-* headers | | Bot Detection | 80+ patterns, 7 categories (crawlers, scrapers, AI bots, etc.), behavioral signals | | CSRF | Double-submit cookie, token generation and validation | | Security Headers | CSP, HSTS, X-Frame-Options, 10 headers out of the box | | Input Validation | Type checking, ranges, enums, email (disposable blocklist, typo suggestions, MX verify), mass assignment prevention |

Architecture

Arcis separates core security logic from framework adapters:

@arcis/node
├── Core (framework-agnostic)
│   ├── sanitizeString / sanitizeObject   — clean any input
│   ├── detectXss / detectSql / ...       — threat detection
│   ├── createSafeLogger / createRedactor — safe logging
│   ├── MemoryStore / RedisStore          — rate limit backends
│   └── Error classes and constants
│
└── Adapters (framework-specific)
    └── Express middleware (arcis(), arcis.sanitize(), arcis.rateLimit(), ...)

The core functions are pure — no req, res, or next. They take values in and return values out. This means they work with Express, Fastify, Koa, Hono, Nest, raw http.createServer, Bun, Deno, serverless functions, or anything else.

Subpath imports are available for tree-shaking:

import { sanitizeString } from '@arcis/node/sanitizers';
import { createSafeLogger } from '@arcis/node/logging';
import { MemoryStore } from '@arcis/node/stores';

Documentation

Detailed configuration, API reference, Redis setup, and architecture docs are in the Wiki.

Contributing

  1. Fork the repo and create your branch from nwl (the active development branch)
  2. All PRs target nwlmain is release-only
  3. All changes must pass existing tests
  4. New features require test cases aligned with spec/TEST_VECTORS.json

License

MIT