npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@marshell/chifu

v0.3.1

Published

Make your AI coding agent dependency-security aware. Checks your project's dependencies against known CVEs so your agent can fix what it introduced — before merge.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mfinikovmfinikov

Keywords

cvedependenciessecurityai-agentsclaude-codecursormcpvulnerabilitysupply-chainauditnpm-auditdevsecops

Readme

chifu

Make your AI coding agent dependency-security aware.

AI coding agents (Claude Code, Cursor, Codex, …) happily add, bump, and pin dependencies — and just as happily pull in ones with known CVEs, then move on. chifu is a tiny CLI your agent runs to find vulnerable dependencies, so it can fix what it introduced before you merge — not weeks later in a Dependabot PR.

It pairs with the chifu skill so the agent runs it automatically when it touches dependencies.

$ chifu check

  3 of 143 dependencies are vulnerable

  CRITICAL  lodash    4.17.4  → 4.18.0    (8 CVEs)
  HIGH      axios     0.21.0  → 0.32.0    (13 CVEs)
  MEDIUM    minimist  1.2.0   → 1.2.3     (1 CVE)

  Run with --verbose to list individual CVEs.

Each row collapses to the single upgrade that clears all of that package's CVEs.

Quick start (recommended)

The wizard installs the CLI and teaches your coding agent to run it on every dependency change — one command, no config:

bunx @marshell/chifu-wizard        # or: npx @marshell/chifu-wizard

It works with Claude Code, Cursor, and Windsurf. See chifu-wizard for what it sets up.

Install the CLI directly

Run it with no install:

bunx @marshell/chifu check         # Bun
npx @marshell/chifu check          # Node (>= 18)

Or install it globally:

npm i -g @marshell/chifu           # then: chifu check
# or
bun add -g @marshell/chifu

Prefer a standalone binary (no Node/Bun required)? Grab one for your platform from the latest release (Windows x64, macOS arm64/x64, Linux x64), make it executable, and put it on your PATH.

Usage

chifu check [path]              # check dependencies in cwd (or a given path)
chifu check --json              # machine-readable output (what the skill reads)
chifu check --verbose           # list every individual CVE
chifu check --fail-on-findings  # exit non-zero if vulns found (for CI)
chifu check --api-url <url>     # override the backend (or set CHIFU_API_URL)
chifu login [chf_xxx]           # sign in (required) — chifu needs an account
chifu --help | --version

check requires an account. Run chifu login (or set CHIFU_API_KEY) before your first check — the backend rejects unauthenticated calls. Once signed in, results sync to your dashboard with history per repo.

Exit codes: 0 clean, 1 vulnerabilities found (only with --fail-on-findings), 2 error.

How it works

  1. chifu check reads your package.json + lockfile into a resolved dependency list (and your git remote to group results by repo).
  2. It sends the list to the chifu backend, which matches it against a continuously-updated CVE corpus and returns the vulnerable packages + the fixed version + advisory.
  3. With the chifu skill installed, your coding agent runs this on every dependency change, reads --json, upgrades the vulnerable packages, fixes any breaking changes from the advisory, and re-runs until clean.

The CLI only detects and reports — your own agent does the fixing. No LLM, no secrets, nothing proprietary baked in.

Configuration

| Variable | Purpose | Default | |---|---|---| | CHIFU_API_KEY | Your chf_ key — required for chifu check (or run chifu login) | (none) | | CHIFU_API_URL | Backend origin | https://api.marshell.dev |

Config is stored at ~/.config/chifu/config.json (mode 600; %APPDATA%\chifu on Windows).

Ecosystems

  • ✅ npm (package.json + package-lock.json, or an installed node_modules)
  • ⏳ Go modules, PyPI — planned

Development

Requires Bun.

bun install
bun run check            # run the CLI against this repo
bun run typecheck        # tsc --noEmit
bun run build            # bundle to dist/cli.js (node-runnable)
node dist/cli.js --help  # run the built bundle under Node

License

MIT