npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@lhi/tdd-audit

v1.5.0

Published

Security skill installer for Claude Code, Gemini CLI, Cursor, Codex, and OpenCode. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

lcanadylcanadykyraleekyralee

Keywords

securitytddtest-driven-developmentvulnerabilityremediationexploitred-green-refactorowaspauditclaudeai-agentskillreactnextjsreact-nativeexpofluttermobile-securityvibecoding

Readme

@lhi/tdd-audit

Security skill installer for Claude Code, Gemini CLI, Cursor, Codex, and OpenCode. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol — you prove the hole exists, apply the fix, and prove it's closed.

What happens on install

Running the installer does five things immediately:

  1. Scans your codebase for 29 vulnerability patterns (SQL injection, IDOR, XSS, command injection, path traversal, broken auth, JWT alg:none, ReDoS, timing-unsafe comparisons, and more) and prints findings to stdout
  2. Scaffolds __tests__/security/ with a framework-matched boilerplate exploit test
  3. Adds test:security to your package.json scripts (Node.js projects)
  4. Creates .github/workflows/security-tests.yml so the CI gate exists from day one
  5. Installs the /tdd-audit skill for your AI coding agent

Installation

npx @lhi/tdd-audit

Or clone and run directly:

node index.js

Platform-specific flags

| Platform | Command | |---|---| | Claude Code | npx @lhi/tdd-audit --local --claude | | Gemini CLI / Codex / OpenCode | npx @lhi/tdd-audit --local | | With pre-commit hook | add --with-hooks | | Scan only (no install) | npx @lhi/tdd-audit --scan-only |

All flags

| Flag | Description | |---|---| | --local | Install skill files to the current project directory instead of ~ | | --claude | Use .claude/ instead of .agents/ as the skill directory | | --with-hooks | Install a pre-commit hook that blocks commits if security tests fail | | --skip-scan | Skip the automatic vulnerability scan on install | | --scan-only | Run the vulnerability scan without installing anything |

Framework Detection

The installer automatically detects your project's test framework and scaffolds the right boilerplate:

| Detected | Boilerplate | test:security command | |---|---|---| | jest / supertest | sample.exploit.test.js | jest --testPathPattern=__tests__/security | | vitest | sample.exploit.test.vitest.js | vitest run __tests__/security | | mocha | sample.exploit.test.js | mocha '__tests__/security/**/*.spec.js' | | pytest.ini / pyproject.toml | sample.exploit.test.pytest.py | pytest tests/security/ -v | | go.mod | sample.exploit.test.go | go test ./security/... -v | | pubspec.yaml | sample_exploit_test.dart | flutter test test/security/ |

Usage

Once installed, trigger the autonomous audit in your agent:

/tdd-audit

The agent will:

  1. Scan the codebase and present a severity-ranked findings report (CRITICAL / HIGH / MEDIUM / LOW)
  2. Wait for your confirmation before making any changes
  3. For each confirmed vulnerability, apply the full Red-Green-Refactor loop:
    • Red — write an exploit test that fails, proving the vulnerability exists
    • Green — apply the targeted patch, making the test pass
    • Refactor — run the full suite to confirm no regressions
  4. Deliver a final Remediation Summary table

The agent works one vulnerability at a time and does not advance until the current one is fully proven closed.

Vulnerability Scanner

The built-in scanner catches 29 patterns across OWASP Top 10 + mobile + agentic AI stacks:

| Category | Patterns | |---|---| | Injection | SQL Injection, Command Injection, NoSQL Injection, Template Injection, LDAP | | Broken Auth | JWT alg:none, Broken Auth, Timing-Unsafe Comparison, Hardcoded Secret, Secret Fallback | | XSS / Output | XSS, eval() Injection, Open Redirect | | Crypto | Weak Crypto (MD5/SHA1), Insecure Random, TLS Bypass | | Server-side | SSRF, Path Traversal, XXE, Insecure Deserialization | | Assignment | Mass Assignment, Prototype Pollution | | Mobile | Sensitive Storage, WebView JS Bridge, Deep Link Injection, Android Debuggable | | Config | CORS Wildcard, Cleartext Traffic, Config Secrets | | New (v1.5) | JWT Alg None, Timing-Unsafe Comparison, ReDoS |

Running security tests manually

# Node.js
npm run test:security

# Python
pytest tests/security/ -v

# Go
go test ./security/... -v

CI/CD

The installer creates .github/workflows/security-tests.yml for your stack. It runs on every pull request targeting main — any exploit test that regresses will block the merge.

To add this gate to an existing CI pipeline manually:

- name: Run security exploit tests
  run: npm run test:security   # or pytest tests/security/, or go test ./security/...

Pre-commit Hook

The --with-hooks flag appends a security gate to .git/hooks/pre-commit. Commits are blocked if any exploit test fails:

❌ Security tests failed. Commit blocked.

The hook is non-destructive — it appends to any existing hook content rather than overwriting it.

License

MIT