npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@korext/supply-check

v1.1.2

Published

AI provenance scanner for your software supply chain. 14 ecosystems. SBOM integration. Private registry support.

Downloads

57

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tbrunohtbrunoh

Keywords

supply-chainsbomcyclonedxspdxattestationaiprovenancedependenciesauditcompliancegovernancetransparencynpmpypicargogo-modulesrubygemsmavennugetcomposerswiftcocoapodspubhexcpanconda

Readme

Supply Chain Attestation

AI provenance across your entire dependency tree. Fourteen ecosystems. SBOM integration. Private registry support.

License: Code License: Spec npm

You know your vulnerabilities thanks to Snyk and Dependabot. You know your licenses thanks to FOSSA. But you do not know what percentage of your software supply chain was written with AI assistance.

Supply Chain Attestation answers that across fourteen package ecosystems, integrates with CycloneDX and SPDX, and supports private registries for enterprise deployment.

Quick Start

```bash npx @korext/supply-check scan ```

Supported Ecosystems (14)

| Ecosystem | Manifest | Lockfile | |-----------|----------|----------| | npm | package.json | package-lock.json, yarn.lock | | PyPI | pyproject.toml, requirements.txt, setup.py | poetry.lock, Pipfile.lock | | Cargo | Cargo.toml | Cargo.lock | | Go Modules | go.mod | go.sum | | RubyGems | Gemfile | Gemfile.lock | | Maven | pom.xml, build.gradle | pom.xml resolution | | NuGet | .csproj, packages.config | .csproj PackageReference | | Composer | composer.json | composer.lock | | Swift PM | Package.swift | Package.resolved | | CocoaPods | Podfile | Podfile.lock | | Pub | pubspec.yaml | pubspec.lock | | Hex | mix.exs | mix.lock | | CPAN | cpanfile, META.json | cpanfile.snapshot | | Conda | environment.yml | conda-lock.yml |

Example Output

``` Supply Chain Attestation

Ecosystem: npm Dependencies: 847 total, 823 scanned

AI Coverage: 127 dependencies (15.4%) Weighted AI Percentage: 28.3%

Governance Distribution: ATTESTED: 12 dependencies SCANNED: 89 dependencies UNGOVERNED: 722 dependencies NO_ATTESTATION: 24 dependencies

High Risk Dependencies: 3 [email protected]: 89% AI, ungoverned [email protected]: 65% AI, ungoverned [email protected]: 72% AI, no attestation ```

Three Attestation Sources

  1. Package: Dependency's published artifact includes `.ai-attestation.yaml`
  2. Registry: Data hosted at `oss.korext.com/registry/` (automated scans + maintainer submissions)
  3. Repository: Dependency's source repo has `.ai-attestation.yaml`

Priority: Package > Registry > Repository

Commands

| Command | Description | |---------|-------------| | `scan` | Scan dependency tree | | `report` | Print detailed report | | `registry` | Query registry | | `publish` | Publish attestation (maintainers) | | `check` | Policy gate for CI | | `sbom` | Export CycloneDX or SPDX |

SBOM Integration

```bash npx @korext/supply-check sbom --format cyclonedx > sbom.json npx @korext/supply-check sbom --format spdx > sbom.spdx.json ```

AI data embedded via standard extension mechanisms:

  • CycloneDX 1.6: `properties` array with `korext:` namespace
  • SPDX 2.3: `annotations` with `korext:` properties

Compatible with any SBOM consumer.

CI/CD

```yaml

  • uses: korext/supply-chain-attestation/action@v1 with: max-ai-percentage: 40 max-high-risk: 5 block-ungoverned-ai: true require-attested-for: "payment" sbom-output: cyclonedx ```

Private Registry (Enterprise)

Run your own registry for internal packages or mirror the public registry.

Four storage backends: Cloud Storage, S3, Azure Blob, local filesystem.

Authentication: OAuth, SAML, or API tokens.

Deployment: Docker, Kubernetes, or Docker Compose manifests included.

See PRIVATE-REGISTRY.md.

For Package Maintainers

```bash npx @korext/ai-attestation init npx @korext/supply-check publish ```

Add the badge:

```markdown AI Attestation ```

What This Complements

  • SBOM tools (CycloneDX, SPDX): adds AI data via standard extensions
  • Vulnerability scanners (Snyk, Dependabot): different concern
  • License checkers (FOSSA): different concern
  • Build provenance (Sigstore, SLSA): different concern

Specification

See SPEC.md. CC0 1.0 (public domain).

Prior Art

See PRIOR_ART.md.

Built by

Korext builds AI code governance tools.