npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@getbourdon/redaction

v0.1.2

Published

Bourdon credential-redaction SSOT + federation leak auditor — the security keystone of the TS mirror. 12 keyword + 14 token credential patterns (exact per-pattern case flags), redactText/containsSecret, and the static L5 leak audit (credential + visibilit

Readme

@getbourdon/redaction

The credential-redaction SSOT + federation leak auditor of Bourdon — the security keystone of the TS mirror.

Python (pip install bourdon) is the oracle (core/redaction.py + core/leak_audit.py). This TypeScript mirror is conformant iff it reproduces the oracle's output on the shared @getbourdon/conformance fixtures: redactText byte-identical + containsSecret boolean-identical on every secret and benign string in redaction_battery.json (incl. the per-pattern case_variants probes), and [kind, location]-identical findings on leak_cases.json. A pattern that fires in Python but not here leaks a credential across machines.

The pattern set (the boundary)

  • 12 keyword patterns, ALL case-insensitive — a nearby word implies a secret even when the value is unrecognizable (api_key, service_role, bearer token, password, .env, …).
  • 14 token patterns — the literal token, no keyword needed. Case-SENSITIVE except appl_ (RevenueCat) and hf_ (HuggingFace), which are /i. These are the keyword-less leak class the pre-SSOT sets missed: AWS AKIA/ASIA, GitHub gh[pousr]_ / github_pat_, GitLab glpat-, Slack xox[baprs]-, OpenAI/Anthropic sk-/sk-ant-, Google AIza/ya29., Stripe [sprk]k_live|test_, npm_, JWT (eyJ…, covers Supabase service_role/anon), and PEM -----BEGIN … PRIVATE KEY-----.

Keyword-less leak class. The whole reason this package exists: a secret with no surrounding keyword (a bare AKIA…, ghp_…, a raw JWT, a PEM block) was federating verbatim because the weak federation/recognition redaction sets only had keyword rules. The token patterns close that.

Determinism / security gotchas (parity-critical)

  • SENSITIVE_PATTERNS are NON-GLOBAL. A /g RegExp carries lastIndex across .test() calls and yields intermittent false negatives — and the leak auditor calls containsSecret once per string in a loop, so a sticky lastIndex would intermittently miss a credential. Only the internal whitespace/URL regexes are /g, used solely with .replace().
  • Per-pattern case flags are load-bearing. An over-eager /i on a case-sensitive token (AWS, Stripe, GitHub) or a missing /i on appl_/hf_ is a parity break — case_variants probes each.
  • \b is ASCII in JS, matching Python re for these patterns; mid-word boundaries don't fire, so benign survivors (task/risk/disk) must NOT redact.

Leak audit

auditManifest(manifest, agentFile) walks every string in an L5 manifest tree (not a curated key list, so it can't silently forget a field) and flags two classes: CREDENTIAL (a value matching the patterns above) and VISIBILITY (an entity/session that resolves to privatePRIVATE_TAG_FAMILIES ∪ the manifest's own declared private_tags — but rides in a federated manifest). Emission order is contract: visibility(entities) → visibility(sessions) → credentials(whole tree). It never throws: a non-dict manifest or malformed collection yields []; auditLibrary reports an unparseable *.l5.yaml as a finding, not a silent skip.

License

BUSL-1.1 (Business Source License 1.1) — engine code, not the permissive wire/interop surface. See LICENSE and LICENSE_FAQ.md. (@getbourdon/redaction may depend on Apache-2.0 packages; the reverse — Apache importing BUSL — is forbidden.)