npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@critiq/cli

v0.1.0

Published

Critiq CLI for deterministic codebase checks, rule validation, and fixture-driven rule tests.

Downloads

399

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

aavanzylaavanzyl

Keywords

Readme

Think of Critiq as an extra code reviewer that scans your project for bugs, security issues, performance problems, and risky changes before they turn into production incidents. Instead of only checking style, it focuses on the kinds of problems that usually slip through review and cause real trouble later. You run it locally or in CI, and it gives you deterministic findings you can act on before merging code.

It does this by parsing your code, matching it against a curated catalog of explicit rules, and reporting findings with concrete evidence tied to the code that triggered them. That means the output is based on repeatable checks for things like unsafe SQL, missing authorization, repeated IO in loops, and untested critical logic changes, not vague heuristics or style-only linting.

@critiq/cli runs Critiq checks against real code and exposes the public rule-pack commands for validation, testing, normalization, and explanation. By default it uses @critiq/rules as the open source catalog with recommended rules. You can configure this by adding a .critiq/config.yaml configuration file.

@critiq/cli is capable of scanning codebases written in TypeScript, JavaScript, Node.js, Go, Java, Python, PHP, Ruby, and Rust.

Start In 60 Seconds

Run Critiq on your project:

npm install -D @critiq/cli @critiq/rules
npx critiq check .

Run Critiq against a diff:

npx critiq check . --base origin/main --head HEAD

GitHub Actions

To run the same checks on pull requests in GitHub Actions—with optional inline PR review comments and severity-based merge gates—use the official composite action critiq-dev/critiq-action (README). The action wraps critiq check, honors .critiq/config.yaml, and can install published @critiq/cli / @critiq/rules when they are not already declared on the repository root package.json.

Example .github/workflows/critiq.yml:

name: Critiq

on:
  pull_request:

permissions:
  contents: read
  pull-requests: write

jobs:
  critiq:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Critiq
        uses: critiq-dev/critiq-action@v1
        with:
          fail-on-severity: off

Use a major tag (@v1) or pin a commit SHA for supply-chain control. More options (inputs, outputs, monorepos, reusable workflow) are in the action README.

Public Commands

critiq check also runs an advisory built-in secret scan (same scope as the rule engine, plus optional --staged for index-only staging review) and prints a short summary before rule results. That scan does not change the critiq check exit code; use critiq audit secrets for full output and for gating in CI.

What "staged review" means

  • "Staged" means Git index content (what git add has queued), not all local edits.
  • Critiq reads staged content the same way Git does for commit previews (git diff --cached).
  • Use this when you want pre-commit checks to match exactly what will be committed.

| Command | What it does | | --- | --- | | critiq check [target] | Runs deterministic checks against a codebase, directory, or single file. | | critiq check . --base origin/main --head HEAD | Limits scanning to changed files and changed ranges in a diff. | | critiq check . --staged | Rule scan unchanged; the advisory secret scan reads only what is staged in Git index (git diff --cached). | | critiq check . --format sarif | Exports findings as SARIF 2.1.0 for code scanning and security platforms. | | critiq check . --format html | Exports a shareable HTML report for human review and audit handoff. | | critiq audit secrets [target] | Runs the dedicated secret-pattern scanner (exit non-zero when matches are found). | | critiq audit secrets . --base origin/main --head HEAD | Secret scan over changed files only (includes non-code paths such as .env). | | critiq audit secrets . --staged | Secret scan over staged paths/blobs from Git index (git diff --cached) (pre-commit friendly). | | critiq audit / critiq audit --help | Lists audit subcommands. | | critiq rules validate <glob> | Validates rule YAML files and returns diagnostics. | | critiq rules test [glob] | Runs fixture-backed RuleSpec files end to end. | | critiq rules normalize <file> | Prints the canonical normalized form of one rule. | | critiq rules explain <file> | Shows a readable breakdown of how one rule is interpreted. |

Runtime Config

critiq check is catalog-first. When .critiq/config.yaml is present, it controls the catalog package, preset, and filters used for the run.

apiVersion: critiq.dev/v1alpha1
kind: CritiqConfig
catalog:
  package: "@critiq/rules"
preset: recommended
disableRules: []
disableCategories: []
disableLanguages: []
includeTests: false
ignorePaths: []
severityOverrides: {}

Supported presets are recommended, strict, security, and experimental.

Optional secretsScan in the same file merges extra ignorePaths (in addition to top-level ignorePaths), disables individual detectors by id (match the detectorId field in JSON output; published ids are exported as SECRETS_SCAN_DETECTOR_IDS from @critiq/check-runner), and drops findings listed under suppressFingerprints (64 lowercase hex characters from JSON fingerprint).

Git hooks

Sample scripts ship under scripts/hooks/ in this package (for example pre-commit.sample.sh runs critiq audit secrets . --staged; pre-push.sample.sh runs a diff against origin/main or CRITIQ_PRE_PUSH_BASE). Copy one to .git/hooks/ and mark it executable, or wire the same commands into Husky.

Default OSS Rule Catalog

The default open source catalog in @critiq/rules currently includes 112 rules across 10 categories.

| Category | Rules | What it looks after | | --- | ---: | --- | | Security | 70 | Injection, auth and session gaps, unsafe transport, sensitive data exposure, unsafe file and HTML handling | | Correctness | 15 | Async bugs, null access, control-flow mistakes, missing fallbacks, race conditions | | Performance | 10 | Repeated IO, wasted async sequencing, hot-path loops, large retained objects, render churn | | Quality | 10 | Error handling gaps, oversized functions, coupling, duplicated logic, and weak test coverage | | Logging | 2 | Console usage and unsafe logging patterns | | Config | 1 | Configuration access boundaries | | Next | 1 | Server and client boundary leaks | | Random | 1 | Unsafe randomness in core logic | | React | 1 | Cascaded effect fetch patterns | | Runtime | 1 | Debug-only statements left in shipped code |

High-Value Rules In The Default Catalog

| Rule title | Description | | --- | --- | | Hardcoded API keys or credentials | Source files should not embed credential-like string literals. | | Avoid raw or interpolated SQL| Database query sinks must not receive request-driven or dynamically interpolated SQL text. | | Path traversal via user input | File access calls must not use request-controlled paths directly. | | Protect deserialization trust boundaries| Deserializers should not consume untrusted payloads directly across a trust boundary. | | Server-side request forgery (ts.security.ssrf) | Outbound requests should not use attacker-controlled targets or private hosts. | | Open redirect via request-controlled target| Redirect and navigation sinks should not use request-controlled destinations without validation. | | Missing authorization before sensitive action | Sensitive backend actions should be guarded by an authorization or permission check. | | Use authenticated encryption for secrets and tokens | Session, cookie, and token encryption should provide integrity protection in the same helper. | | Missing await on async call | Async functions should not drop direct async calls without awaiting them. | | Repeated IO call inside loop | Database or network calls inside loops can multiply latency and load. | | Logic change without corresponding test updates | Diffs that change critical logic should usually update the matching tests in the same change. | | Avoid server/client boundary leaks in Next.js | Server components should not use browser-only APIs or client-only hooks without an explicit client boundary. |

Reference

License

@critiq/cli is licensed under Apache 2.0. See the source LICENSE.