npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@octabits-io/elysia

v0.8.0

Published

Reusable Elysia middleware & helpers: security headers, trusted-proxy client IP, error mapping, response schemas, rate limiting, health routes, app skeleton, and MCP harness

Readme

@octabits-io/elysia

Reusable Elysia middleware and helpers, extracted from production APIs. Domain-agnostic — errors are @octabits-io/foundation's OctError ({ key, message }; KeyedError is kept as an alias), the error handler takes foundation's Logger, and any domain-specific key→status rules are injected via statusOverrides. Foundation is a peer dependency — this package is part of the octabits stack, not a standalone kit.

Contents

  • createSecurityHeadersPlugin(options?) — sets standard hardening response headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-XSS-Protection: 0, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, CSP, and HSTS in production) on every response, including error responses (headers are staged in onRequest). All values configurable/disable-able via options.
  • createClientIpPlugin(trustedProxies) — derives clientIp from X-Forwarded-For only when the direct connection is a trusted proxy ('*', an IP allowlist, or [] for none), walking the chain right-to-left past trusted proxy hops (rightmost-untrusted, spoof-resistant); IPv6-mapped IPv4 is normalized, garbage entries fall back to the direct peer. Used to key rate limiting. createClientIpResolver / normalizeIp expose the pure logic.
  • Error mappinggetStatusCodeForError, statusErrorWithSet, mapResultError, the ApiError class family (NotFoundError, ForbiddenError, …), isDbConnectionError, and the createErrorHandler global plugin. Response bodies are whitelisted to { key, message[, fields] }, and 5xx messages are redacted in production (the stable key is kept).
  • createRateLimit(options) — app-level rate limiting with a timing-safe skip-by-internal-secret seam and a skip-by-CIDR seam (skipCidrs: real IPv4 CIDR matching, e.g. 10.0.0.0/24, or exact IPs; IPv6-mapped keys normalized).
  • createElysiaApp(routes, options) — the standard app skeleton (securityHeaders → clientIp → rateLimit → [cors/swagger] → errorHandler → routes), preserving the routes' type for Eden Treaty; plus registerGracefulShutdown.
  • createHealthRoutes({ checkReady })/health + /live + /ready with the readiness-failure → 503 mapping.
  • @octabits-io/elysia/mcpcreateMcpRoutes({ resolveScope, registerTools, … }): stateless elysia-mcp harness with a per-request scope correlated via AsyncLocalStorage (interleaving-safe under concurrent requests) and disposed in a finally tied to the request. registerTools also runs once at startup — it must be idempotent and must only call getContainer() inside tool handlers, at invocation time. Scope-key extraction via the required parseScopeKey seam — no default URL convention. Use createPathSegmentScopeParser('scope') for a /scope/:scopeKey/ layout, createPathSegmentScopeParser('tenant') for /tenant/:id/, or () => 'default' for single-scope deployments (it matches the segment's last occurrence and caps key length at 256). The returned plugin composes under prefixed parents (.use() it anywhere in a nested route tree); matched requests are internally re-addressed, so resolveScope should read the public URL from its url argument, not from context.request.url. elysia-mcp + @modelcontextprotocol/sdk are optional peers. ⚠️ On Node runtimes (e.g. vitest), elysia-mcp ≤0.1.1 calls Bun.randomUUIDv7() on every stateless request — shim it in test setup after importing elysia (so Elysia's runtime detection is unaffected): globalThis.Bun = { randomUUIDv7: () => crypto.randomUUID() }.
  • Env-config helpersgetEnv*, isProduction, parseCsv, parseCorsOrigins.
  • Response schemasSCHEMA_ERROR_RESPONSE, SCHEMA_VALIDATION_ERROR, SCHEMA_SUCCESS_RESPONSE, the CommonErrorResponses superset, and the errorResponses(...codes) selector.

Usage

import { Elysia } from 'elysia';
import {
  createSecurityHeadersPlugin,
  createClientIpPlugin,
  createErrorHandler,
  statusErrorWithSet,
  CommonErrorResponses,
} from '@octabits-io/elysia';

const app = new Elysia()
  .use(createSecurityHeadersPlugin())
  .use(createClientIpPlugin(['*']))
  .use(createErrorHandler(logger));

// In a route, translate a Result error to an HTTP response:
if (!result.ok) return statusErrorWithSet(set, result.error, { tenant_not_found: 403 });

Peer dependencies: elysia, zod.