npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@edgebird.dev/check-pack

v1.0.1

Published

A zero-trust supply chain gate and MCP server for LLM vibe coders. Intercepts npm, pip, and docker commands to score packages before they touch your machine.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

itsocialistitsocialist

Keywords

securitysupply-chainnpm-auditmcpvibe-codingosvsbomzero-trustcursorclaude

Readme

Check-Pack: Zero-Trust Supply Chain Gate for Vibe Coders

Check-Pack is a supply chain safety tool designed to protect "vibe coders"—developers heavily utilizing LLMs like Claude, Cursor, and Copilot—against malicious, hallucinated, or abandoned packages. It acts as a zero-trust enforcer, intercepting package manager commands (npm install, pip install, docker pull) and generating a rigorous security scorecard before allowing the package manager to download code.

Current Features

  • OSV.dev Vulnerability Scanning: Checks packages against the global Open Source Vulnerability database for Critical and High severity CVEs.
  • Pre-Flight Transitive DAG Scan: Recursively resolves a package's full dependency tree from registry metadata in-memory, without installing anything to disk. Catches deeply nested vulnerabilities (like log4j) before code touches the machine.
  • Workspace SBOM Scanning: Generates a Software Bill of Materials using syft and audits the entire installed dependency tree with grype to catch transitive vulnerabilities (--deep).
  • Component Health Analysis: Computes a 100-point security scorecard based on release cadence, maintainer count, and abandonment signals via the NPM and PyPI registries.
  • Native Hook Interception: Lightweight shell hooks bind to your npm, pip, and docker invocations, requiring zero project configuration changes.
  • MCP Server: Exposes all scan capabilities as Model Context Protocol tools so your AI agent (Cursor, Claude Code, RooCode, Antigravity) can validate packages before writing code that depends on them.

Installation

Check-Pack is designed for zero-friction deployment. No repository cloning or manual dotfile editing required.

One-Command Setup

npx @edgebird.dev/check-pack install-hooks

What this does automatically:

  1. Installs the Check-Pack native system hooks (alias npm, alias pip, alias docker) into your terminal profile (~/.zshrc / ~/.bashrc).
  2. Outputs the MCP JSON configuration block ready to paste into Cursor (.cursor/mcp.json), RooCode/Cline (cline_mcp_settings.json), Claude Code, or Antigravity.

Manual CLI Usage

# Analyze a single package
check-pack npm express
check-pack pypi requests

# Pre-flight scan: resolve full transitive dependency tree (no install)
check-pack --preflight express

# Deep SBOM scan on an existing workspace
check-pack --deep .

MCP Server (AI Agent Integration)

Add the following to your agent's MCP configuration file (e.g. .cursor/mcp.json):

{
  "mcpServers": {
    "check-pack": {
      "command": "check-pack-mcp"
    }
  }
}

Available MCP tools:

  • analyze_package_security — Score a single npm or PyPI package
  • analyze_preflight_deps — Recursively scan the full transitive dependency graph before installation
  • analyze_workspace_deep — Run a full SBOM audit on a directory
  • analyze_container — Scan a Docker image for OS-layer CVEs

Understanding the Scorecard

When Check-Pack analyzes a package, it starts at 100 points and applies penalties based on real-world supply chain risk vectors:

| Status | Score Range | Meaning | |---|---|---| | PASS | 80 - 100 | Clean bill of health. Package is maintained and free of known vulnerabilities. | | WARN | 50 - 79 | Moderate/low CVEs present, or package not updated in over a year. Installation proceeds. | | FAIL | < 50 | Critical/High CVEs found, or package severely abandoned. Installation is blocked. |

Example Output

Check-Pack Hook intervening for [flatmap-stream]...

Checking [flatmap-stream] in [npm]...

=========================================
Package:  flatmap-stream
Score:    15/100
Status:   FAIL
=========================================

[CRITICAL FAILURES]:
  - Found 2 Critical/High CVEs (e.g. GHSA-9x64-5r7x-2q53)
  - Package is severely abandoned (Last updated > 2 years ago).

[WARNINGS]:
  - Only 1 maintainer listed. Low bus factor.

Check-Pack blocked installation of flatmap-stream due to security failures.
Halting dependency installation. Please review the scorecard above.

Emergency Override

To bypass the alias and invoke the raw package manager directly:

\npm install <package>
\pip install <package>
\docker pull <image>

Prerequisites

The --deep, --preflight transitive workspace scan, and Docker shield features require:

brew install syft grype

License

ISC