npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@lorb/secret-mask

v0.2.3

Published

Your terminal leaks secrets. This replaces them with playful phrases, not ***

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lorb-studiolorb-studio

Keywords

secretsmaskingterminalclisecurityredact

Readme

@lorb/secret-mask

Your terminal leaks secrets. This makes them disappear — playfully.

$ secret-mask -- npm run dev
Server running on http://localhost:3000
API key loaded: Sleepy Owl in Teacup
Connected to DB: postgresql://Dancing Cat on [email protected]

Not ***. Each secret becomes a memorable phrase like "Brave Fox under Lighthouse." Readable, unsuspicious, and weirdly fun.

20+ patterns. Detects API keys (OpenAI, AWS, GitHub, Stripe, Slack, Google, and more), Bearer tokens, URLs with embedded credentials, private keys, and PASSWORD=... style env vars.

Deterministic. Same secret always maps to the same phrase within a session. You can still follow your logs.

Install

npm install -g @lorb/secret-mask

What you can do

Start a masked shell

Spawn a persistent subshell where everything is masked. No need to prefix every command.

secret-mask shell

Your $SHELL is used (falls back to /bin/bash). Type commands as usual — all output flows through the masking layer. Type exit or press Ctrl-D to leave.

Custom patterns work too:

secret-mask shell --pattern "INTERNAL_.*"

Wrap any command

Everything that command prints to stdout/stderr gets masked in real-time.

secret-mask -- npm run dev
secret-mask -- docker compose up
secret-mask -- env
secret-mask -- kubectl logs pod-name

Exit codes pass through — your CI scripts still work.

Pipe output through it

cat .env | secret-mask
heroku config | secret-mask
kubectl get secret my-secret -o yaml | secret-mask

Add custom patterns

Catch secrets that don't match built-in patterns.

secret-mask --pattern "INTERNAL_.*" -- ./deploy.sh

Use in CI/CD

# GitHub Actions
- run: npx @lorb/secret-mask -- npm test

Use programmatically

import { createMaskStream } from '@lorb/secret-mask';

const stream = createMaskStream();
process.stdin.pipe(stream).pipe(process.stdout);

What it detects

| Category | Examples | |----------|---------| | AI/ML | OpenAI (sk-...), Anthropic (sk-ant-...) | | Cloud | AWS access keys, AWS secrets, Google API keys | | Code | GitHub PAT/OAuth/App tokens, GitLab PAT, npm tokens | | Payments | Stripe secret/public keys | | Communication | Slack tokens, Slack webhooks, SendGrid, Twilio | | Infrastructure | Heroku, Firebase | | Auth | Bearer tokens, URL-embedded credentials (user:pass@host) | | Generic | PASSWORD=, SECRET=, TOKEN=, API_KEY=, private keys, base64 credentials |

How phrases work

Each secret is hashed to an index in a dictionary of Adjective + Animal + Preposition + Object combinations. Same secret = same phrase within a session. Session salt changes between runs, so phrases aren't stable across restarts.

Details

  • Zero network calls. Fully offline
  • Zero dependencies
  • Processes stdout and stderr as stream transforms (real-time, not buffered)
  • Passes through the wrapped command's exit code

License

𖦹 MIT — Lorb.studio