npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@grovetech/defender

v0.2.3

Published

Active runtime protection for vibe-coded apps — drops in as Express middleware (web + AI layer), blocks prompt injection, PII leaks, and sensitive paths in real time. By Grovetech AI.

Downloads

880

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

grovetechgrovetech

Keywords

securityexpressmiddlewareai-safetyprompt-injectionpiiruntime-protectionvibe-coding

Readme

@grovetech/defender

Active runtime protection for vibe-coded apps. Drop-in Express middleware that blocks prompt injection, sensitive-path probes, and PII / API-key leaks in your LLM responses — in real time, without touching anyone else's systems.

Defender is the active counterpart to the Grovetech Vibe Code Health Scanner. The scanner is a one-shot pen-test; Defender is permanent runtime defence.

Install

npm install @grovetech/defender

Get an API key at https://grovetechai.com/dashboard?tab=defender. Free plan includes 1 000 requests/month with the input guard enabled.

Try it without installing anythingopen the live demo on Replit or read the source in server.ts.

Quick start (Express)

import express from "express";
import { defender } from "@grovetech/defender";

const app = express();
app.use(express.json());

const d = defender({ apiKey: process.env.GROVETECH_DEFENDER_KEY });

// Web layer — security headers + sensitive-path block (.env, .git/*, …)
app.use(d.web());

// AI layer — screens req.body.prompt / .messages for prompt injection
app.use("/api/chat", d.ai());

// Output guard — wrap your own LLM call
app.post("/api/chat", async (req, res) => {
  const reply = await callOpenAi(req.body.prompt);
  const out = d.guardOutput(reply);
  if (!out.allowed) return res.status(502).json({ error: "Output blocked" });
  res.json({ reply });
});

app.listen(3000);

Build-time secret check

Add to package.json:

{ "scripts": { "postbuild": "defender check ./dist" } }

The build fails if any leaked OpenAI / Anthropic / AWS / Stripe key, GitHub PAT or PEM private key is found in the emitted bundle.

What gets blocked

| Layer | Examples | | -------- | -------------------------------------------------------------- | | Web | /.env, /.git/config, /wp-config.php, missing CSP/HSTS | | AI input | "ignore previous instructions", DAN/jailbreak, token bombs | | AI output| Leaked sk-…, AKIA…, ghp_…, PEM keys, system-prompt leak |

Detection patterns are recycled from the same engine that powers our hosted scanner (server/security-scan.ts, server/vibe-coding-scan.ts, server/ai-agent/attacks.json) so what we test for in audits is what we block at runtime.

Plans & limits

| Plan | Requests/month | Output guard | Tool guard | Slack/Teams | | ------ | -------------- | ------------ | ---------- | ----------- | | Free | 1 000 | – | – | – | | Solo | 10 000 | yes | – | – | | Pro | 100 000 | yes | yes | yes | | Agency | 1 000 000 | yes | yes | yes (custom) |

Telemetry is best-effort — if Grovetech is unreachable, Defender still blocks locally and never crashes your app.

Licence

MIT — © Grovetech AI s.r.o.