npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@humaan/patch-patrol

v0.5.2

Published

Scan GitHub repositories for advisory-driven package bumps and open pull requests.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

humaancohumaanco

Keywords

Readme

Patch Patrol

Patch Patrol is an interactive CLI for finding advisory-driven package updates across GitHub repositories, then optionally creating update pull requests.

Requirements

  • Node.js 20+
  • GitHub CLI authenticated with gh auth login
  • To create PRs: git access to the selected repos, plus their package manager for lockfile updates

Run

Run the published CLI directly:

pnpx @humaan/patch-patrol

Interactive Flow

The CLI will guide you through:

  1. Entering a GitHub owner, GitHub repo, or GitHub URL.
  2. Choosing an advisory rule.
  3. Choosing which bump levels to include.
  4. Reviewing affected projects.
  5. Deciding whether to stop after the scan or create update pull requests.
  6. Selecting which projects should receive update branches and pull requests.

Use arrow keys to move through prompts, spacebar to toggle multiselect items, and enter to continue.

If you choose to create PRs, Patch Patrol clones each selected repo into a temporary checkout, creates an advisory-specific branch, re-checks affected packages, updates package.json, refreshes the lockfile, commits the change, pushes the branch, and opens a GitHub pull request.

Safety

  • Scans read package.json files through the GitHub API.
  • PR creation only runs after you opt in and select repos.
  • Repos are patched in temporary checkouts, not in your local working tree.

Contributing Advisories

Advisories live in advisories/*.json, but advisory consumption is decoupled from the published package. The published CLI loads advisory rules from this repo's main branch, so the repo can receive new advisories without waiting for an npm publish.

Advisory files use human-readable rule IDs and publishedAt dates so the CLI can show the newest advisories first. Technical identifiers such as GHSA and CVE IDs live in each rule's metadata and are displayed as secondary CLI info.

To add an advisory:

  1. Use the adding-advisories agent skill with the security advisory URL, GHSA, CVE, changelog, or affected-version notice.
  2. Open a pull request that adds the new advisory JSON file.
  3. Once the PR is merged to main, the advisory becomes available to everyone using the published CLI with the default advisory source.

Development

pnpm install
pnpm start