npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@boldsec/mcp

v0.12.0

Published

BoLD MCP server: connect, wire, and verify BoLD authorization monitoring (BOLA/IDOR, BFLA, BOPLA mass-assignment, tenant isolation, missing-auth) from your AI editor (Claude, Cursor, Codex). Metadata only; never reaches a verdict.

Readme

@boldsec/mcp

The BoLD MCP server — connect, wire, and verify BoLD live BOLA/IDOR monitoring from your AI editor (Claude Desktop, Cursor, Codex). Your editor's AI assistant reads your repo and wires BoLD for you; you review every change.

  • Metadata only. BoLD receives only request metadata, never your code or your users' data. This server reads nothing and uploads nothing; it just talks to the BoLD API on your behalf.
  • Never reaches a verdict. The MCP only connects / lists / shows coverage / explains wiring. BoLD's engine owns every verdict; no tool here decides "vulnerable" or "safe".
  • You stay in control. The assistant proposes diffs; you approve them. Nothing is committed for you.

Setup

One command signs you in and wires the editors you pick:

npx @boldsec/mcp@latest connect

The @latest matters: it always runs the newest published server, so your editor picks up new authorization checks (BFLA, BOPLA, and beyond) instead of relaunching a stale cached build. The wiring it writes launches the server the same way, so it stays current on its own.

It opens your browser to approve (no token to copy), then writes a secret-free entry into each editor you choose (Claude Code, Cursor, Claude Desktop, VS Code, Codex, Windsurf). Your token is stored privately at ~/.boldsec/credentials.json (mode 0600), never in the editor config, so a committed config leaks nothing.

  • npx @boldsec/mcp@latest status — confirm you are connected and the token still works.
  • npx @boldsec/mcp@latest wire — re-run just the editor wiring (e.g. to add another editor, or to refresh an editor that is still launching an older cached build).
  • npx @boldsec/mcp@latest disconnect — revoke the token and remove the entry.

Manual / CI setup

Prefer to set it up by hand, or wiring a machine with no browser? Mint a personal access token (starts with blt_) in BoLD under Settings, then add the server to your editor's MCP config:

{
  "mcpServers": {
    "bold": {
      "command": "npx",
      "args": ["-y", "@boldsec/mcp@latest"],
      "env": { "BOLD_TOKEN": "blt_your_token_here" }
    }
  }
}

BOLD_API_URL is optional (defaults to https://api.boldsec.io). The token is a secret: it is sent only in the Authorization header and is never logged or echoed.

Tools

  • bold_connect_app(name, base_url) — returns the steps to connect an app. The ingest key is a secret you copy from the BoLD web app and set yourself; this tool NEVER returns it, so the key never enters the assistant's context.
  • bold_list_monitors() — your connected apps and whether each is watching or waiting.
  • bold_coverage(monitor_id) — the routes BoLD has actually seen traffic on. Reports only observed routes; never implies coverage of an unwired route (not an all-clear).
  • bold_wiring_guide(stack?) — step-by-step wiring instructions for the current repo, including how to write resolveCallerId for your auth, and the rule to leave the TODO if unsure.
  • bold_check_resolver(caller_id, owner_id) — a sanity check that the id your resolver returns has the same shape as your object's owner field. Flags a gross mismatch; never asserts a resolver is correct (a shape match is necessary, not sufficient).
  • bold_bfla_guide() — how to declare privileged routes (function-level authorization / BFLA) with the privileged flag and run a BFLA check. Relays information only; BoLD's engine reaches the verdict.
  • bold_bopla_guide() — how to declare write-protected fields (mass assignment / BOPLA) with sensitiveFields so the live lead fires and the active check has something to confirm. Names only, never a value. Relays information only; BoLD's engine reaches the verdict.
  • bold_prepare_bfla_check(base_url, routes) — prepare a BFLA check; returns a one-time browser link where you paste two test sessions. Credentials never pass through the assistant.
  • bold_bfla_status(pending_id) — read the sealed BFLA result; relays BoLD's summary verbatim.
  • bold_prepare_bopla_check(base_url, routes) — prepare a BOPLA check of your declared write-protected fields; returns a one-time browser link where you paste one test session. BoLD escalates on its own throwaway object. Credentials never pass through the assistant.
  • bold_bopla_status(pending_id) — read the sealed BOPLA result; relays BoLD's summary verbatim.

What a session looks like

"Connect this app to BoLD and wire it up."

The assistant calls bold_connect_app (which tells you to create the monitor and set the two env vars yourself in the BoLD web app — the ingest key never touches the assistant), then bold_wiring_guide, then wraps your routes with @boldsec/next, writes resolveCallerId from your repo's auth (or leaves the TODO and asks you if it cannot tell), and finally calls bold_coverage so you can watch the routes light up. You review and approve every diff, and you alone handle the ingest key.