npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@devshub198211/devguard

v2.0.3

Published

14-module security, AI, auth & DX toolkit for Node.js. Zero dependencies.

Readme

@devshub198211/devguard

One install. 14 modules. Zero external dependencies. Security · AI Tooling · Auth · DX — everything a production Node.js project needs.

npm install @devshub198211/devguard

Quick Start

# Initialize DevGuard in your project
npx @devshub198211/devguard init

# Run a full security audit
npx @devshub198211/devguard check

# AI-powered code refactor (free, runs locally)
npx @devshub198211/devguard refactor src/app.ts

For global CLI access:

npm install -g @devshub198211/devguard
devguard check

All 14 Modules

| # | Category | Module | CLI Command | What It Does | |---|----------|--------|-------------|--------------| | 1 | 🔒 Security | lockfile-guardian | check / snapshot | SHA-512 lockfile tamper detection | | 2 | 🔒 Security | hook-scanner | scan | 23-rule malware scanner for install scripts | | 3 | 🔒 Security | token-rotator | tokens | Live API token verification + age alerts | | 4 | 🔒 Security | dep-pincer | pin --fix | Enforce exact version pins + SRI hashes | | 5 | 🤖 AI | refactor-engine | refactor <file> | Complexity analysis + security patching | | 6 | 🤖 AI | agent-schema | schema <json> | Validate & auto-repair LLM JSON output | | 7 | 🤖 AI | mcp-server-kit | mcp | Build Claude-compatible MCP tool servers | | 8 | 🤖 AI | agent-memory | memory --agent <id> | Durable state for AI agents (FS/Redis) | | 9 | 🤖 AI | llm-budget | budget | Token counting + cost tracking | | 10 | 🔑 Auth | zero-trust-jwt | jwt-verify / jwt-sign | JWT sign & verify with anomaly detection | | 11 | 🔑 Auth | bot-fence | bot-check --ip <ip> | Multi-signal bot detection middleware | | 12 | 🔑 Auth | passkey-node | passkey-verify | WebAuthn passkey registration & auth | | 13 | 🛠 DX | env-safe | env-verify | Typed .env validation — fail fast | | 14 | 🛠 DX | log-otlp | log --msg <text> | Structured JSON logger + OpenTelemetry |

Bonus: api-contract — zero-dep schema builder with TypeScript inference.


Use From Any Language (Python, Go, Bash, etc.)

Every command supports --json output, making DevGuard usable from any programming language:

Python

import subprocess, json

result = subprocess.run(
    ["npx", "@devshub198211/devguard", "check", "--json"],
    capture_output=True, text=True
)
report = json.loads(result.stdout)
print(f"Security Score: {report['score']}/100")

Go

cmd := exec.Command("npx", "@devshub198211/devguard", "scan", "--json")
output, _ := cmd.Output()
// Parse JSON output

Bash

SCORE=$(npx @devshub198211/devguard check --json | jq '.score')
echo "Score: $SCORE"

# Sign a JWT
TOKEN=$(devguard jwt-sign --payload '{"sub":"user-1"}' --secret mykey --json | jq -r '.token')

# Check an IP
devguard bot-check --ip 203.0.113.5 --json | jq '.verdict'

Ruby

result = `npx @devshub198211/devguard check --json`
report = JSON.parse(result)
puts "Score: #{report['score']}"

CLI Reference

# Core
devguard init                                    # Set up project
devguard check [--json]                          # Full security audit
devguard refactor <file> [--json]                # AI code refactor
devguard mcp                                     # Start MCP server

# Security
devguard snapshot                                # Create lockfile baseline
devguard scan [--json]                           # Malware scan
devguard tokens [--json]                         # Token health check
devguard pin [--fix] [--json]                    # Pin dependencies

# AI
devguard schema '<json>' [--json]                # Validate JSON
devguard memory [--agent <id>] [--json]          # Query agent state
devguard budget [--json]                         # LLM cost summary

# Auth
devguard jwt-verify --token <t> --secret <s>     # Verify JWT
devguard jwt-sign --payload '<json>' --secret <s> # Sign JWT
devguard bot-check --ip <ip> [--json]            # Bot detection

# DX
devguard env-verify [--file .env] [--json]       # Validate env
devguard log --msg <text> [--level info|warn|error]  # Emit log

Programmatic Usage (Node.js / TypeScript)

import { runAllChecks } from '@devshub198211/devguard';

const report = await runAllChecks();
console.log(`Security Score: ${report.score}/100`);
if (!report.passedAll) process.exit(1);

Tree-Shakeable Sub-Path Imports

import { verifyLockfile } from '@devshub198211/devguard/security';
import { LLMBudget }      from '@devshub198211/devguard/ai';
import { JWTVerifier }    from '@devshub198211/devguard/auth';
import { loadEnv }        from '@devshub198211/devguard/dx';

CI/CD Integration

name: DevGuard Security
on: [push, pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: '20' }
      - run: npm ci
      - run: npx @devshub198211/devguard check --json > report.json
      - run: node -e "const r=JSON.parse(require('fs').readFileSync('report.json'));if(!r.passedAll)process.exit(1)"

Security Guarantees

  • Zero external runtime dependencies — only Node.js built-ins
  • No network calls at runtime (except opt-in token verification)
  • No telemetry, no tracking, no phone-home
  • Constant-time JWT comparison — timing attack protection
  • Sign-count replay protection in WebAuthn
  • Path traversal protection — all file IDs are SHA-256 hashed
  • Prototype pollution prevention in CBOR/JSON parsers
  • Atomic file writes — no data corruption during crashes
  • Works fully offline — all security checks are local

Requirements

  • Node.js >= 18.0.0

License

MIT © DevGuard Contributors


Your custom notes below: