npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@devdonzo/warden

v1.8.0

Published

Autonomous SRE & Security Orchestration Agent - The Warden of your Codebase

Readme

Warden

Warden is an auditable security remediation agent for teams that want agentic fixes without losing policy, review, and CI control.

npm version npm downloads CI License: ISC

Coding agents can fix vulnerabilities when you ask them to. Warden turns that ability into a repeatable security workflow:

  • Scan a repository or infrastructure target.
  • Prioritize the findings that matter.
  • Apply safe fixes within configured limits.
  • Block risky remediation until approval.
  • Open reviewable security PRs.
  • Record what happened, why it happened, and what policy allowed or blocked.
  • Fail CI when risk crosses your gate.

The product is not "an LLM that fixes code." The product is the control plane around agentic remediation.

Open Source Status

Warden is public, ISC-licensed, and distributed on npm as @devdonzo/warden. The repository includes CI, release packaging checks, contribution guidelines, issue templates, a security policy, machine-readable artifact schemas, and a copyable downstream GitHub Actions workflow for adopters.

Current public usage signals are tracked in docs/OPEN-SOURCE-MAINTENANCE.md.

Why Not Just Use Codex or Claude Code?

Use Codex or Claude Code when you want an interactive coding partner.

Use Warden when security work needs to happen the same way every time:

  • Continuous: runs in CI, release gates, and scheduled scans.
  • Governed: enforces severity gates, posture gates, fix limits, and approval requirements.
  • Auditable: writes durable artifacts instead of leaving the rationale trapped in chat history.
  • Reviewable: produces PR context for humans and future agents.
  • Stateful: tracks baselines, regressions, run history, and recurring vulnerable package memory.

Warden answers the questions that matter after an agent touches a repo:

What broke?
What did we select for remediation?
What changed?
What was blocked?
Why did the agent think this mattered?
Which PRs or reports came out of the run?

What It Does

Warden currently supports:

  • SAST dependency scans for Node.js and Python projects.
  • DAST-style infrastructure advisory runs.
  • npm-audit, pip-audit, Snyk fallback paths, and mock scanner support for tests.
  • Dry-run remediation planning.
  • GitHub branch and PR automation when credentials are configured.
  • CI policy gates with deterministic exit codes.
  • Accepted-risk baselines for regression-only enforcement.
  • Local console and human-readable reports.
  • Machine-readable artifact contracts in schemas/.

Install

npm install -g @devdonzo/warden

For local development:

npm install
npm run build

Quick Start

Validate your environment:

warden validate

Run a local dry-run scan:

warden scan . --dry-run --scanner npm-audit --severity high --max-fixes 2

Run with CI policy gates:

warden scan . --ci --json --scanner npm-audit --severity high

Create an accepted-risk baseline:

warden baseline --create
git add .warden-baseline.json

Fail only on new or worsened high-risk findings:

warden baseline --check --severity high

Open the local console:

warden console

Core Commands

warden scan [repository-or-path]
warden dast <target>
warden baseline --create
warden baseline --check
warden console
warden validate
warden bootstrap-ci

Useful flags:

--scanner <snyk|npm-audit|pip-audit|all>
--severity <low|medium|high|critical>
--max-fixes <n>
--dry-run
--json
--ci
--approval-token approved

Output Artifacts

Warden writes durable run artifacts into scan-results/:

| Artifact | Purpose | |---|---| | scan-results.json | Normalized scanner output | | warden-report.md | Human-readable operator report | | scan-results.html | HTML report | | agent-run-record.json | Agent handoff record with findings, fixes, policy reasons, and why-it-matters context | | warden-approval-request.json | Written when policy blocks risky remediation | | history.json | Longitudinal run history | | memory.json | Recurring vulnerable package memory | | .warden-baseline.json | Committed accepted-risk baseline |

The JSON artifacts have schemas in schemas/ so other agents, CI jobs, dashboards, and review tools can consume Warden output without scraping terminal logs.

The Agent Handoff Record

agent-run-record.json is the artifact that makes Warden useful beyond a single chat session. It captures:

  • What broke: scan summary and top findings.
  • What changed: selected vulnerability IDs, attempted fixes, applied fixes.
  • What was produced: branches, PR URLs, reports, and advisories.
  • Why it matters: risk score, posture, and remediation summary.
  • Why it was allowed or blocked: policy decision and warnings.

That lets another agent, a reviewer, or future you understand why a security change happened.

Configuration

Example .wardenrc.json:

{
  "scanner": {
    "primary": "snyk",
    "fallback": true
  },
  "fixes": {
    "maxPerRun": 2,
    "minSeverity": "high"
  },
  "policy": {
    "failOnSeverity": "critical",
    "failOnPosture": "critical",
    "requireApprovalAboveSeverity": "high"
  },
  "notifications": {
    "enabled": false,
    "email": {
      "to": ["[email protected]"],
      "from": "Warden <[email protected]>",
      "provider": "resend",
      "apiKeyEnv": "RESEND_API_KEY"
    }
  }
}

Environment variables:

GITHUB_TOKEN=...  # enables branch push and PR creation
SNYK_TOKEN=...    # recommended for Snyk scans
RESEND_API_KEY=... # optional, enables email notifications

Email notifications can also target a generic webhook by setting notifications.email.webhook; Warden posts a normalized email payload that can be routed through Zapier, Make, SES Lambda, or an internal notification service.

Release Confidence

Warden has a release gate that checks behavior, not just compilation:

npm run release:check

It builds the package, runs tests, executes a smoke test against mock scanner output, verifies the expected artifact bundle, and checks the npm package contents.

Example CI

Warden can generate a downstream GitHub Actions workflow:

warden bootstrap-ci --scanner npm-audit --severity high

For a copyable workflow file, see docs/EXAMPLE-CI.md.

Positioning

Warden is for teams that want agentic security remediation but need operational guarantees:

scan -> triage -> policy check -> fix safe issues -> open PR -> record rationale -> pass/fail CI

That loop is the product.

License

ISC © DevDonzo