npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@quantasyte/scanner

v0.1.1

Published

Post-quantum + weak-crypto scanner. Runs locally — your source code NEVER leaves your machine. No telemetry. No phone-home. Open-source (Apache 2.0).

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

drentropydrentropy

Keywords

post-quantumcryptographysecurityscannercompliancenist-ir-8547dorafdafedrampcliofflineprivacy-firstno-telemetryair-gappedopen-sourceapache-2.0

Readme

Quantasyte CLI

Post-quantum + weak-crypto scanner. Runs entirely on your machine. Your source code never leaves your network.

🔒 Security & privacy first

If you only read one section, read this. Quantasyte is built specifically for security-conscious teams — including teams subject to DoD, FedRAMP, EU DORA, and FDA data-residency rules.

What we promise:

  • Source code never leaves your machine. The default quantasyte scan ./repo makes ZERO network requests. We physically cannot see your code. There is no upload, no SaaS dependency, no "anonymous telemetry" — nothing.
  • No analytics, no telemetry, no phone-home. The CLI doesn't track usage, doesn't send error reports, doesn't connect to our servers. You can run this on an air-gapped machine.
  • Open source, auditable. Apache 2.0 license + patent grant. Source at https://github.com/mzon7/quantasyte-cli. Read every line before you run it; pin a specific version; vendor it into your own monorepo if you want.
  • No account required. No signup, no email, no credit card. npm install -g @quantasyte/scanner and you're done.
  • Lightweight. ~32KB ESM bundle. Two npm dependencies (commander + Node built-ins). Auditable supply chain.

Optional cloud mode (opt-in only):

If — and only if — you explicitly run quantasyte scan ./repo --cloud, the CLI will upload findings metadata (file paths, line numbers, primitive types, severity) to our cloud and return a temp dashboard URL embedded in your local PDF report. Even in cloud mode, your source code does not leave your network. Only metadata about findings — never the code itself.

The cloud mode is for teams who want to share results with a CISO/auditor without giving them a Quantasyte account. The temp URL works for 30 days, no signup required to view.

For air-gapped / DoD / FedRAMP / strict-data-residency environments: stick with the default offline mode. Use --no-prompt to suppress the cloud signup CTA at the end of each scan.

Install

# npm (recommended)
npm install -g @quantasyte/scanner

# pnpm
pnpm add -g @quantasyte/scanner

# yarn
yarn global add @quantasyte/scanner

(Homebrew + Cargo + PyPI installations coming soon.)

You'll need Node.js 18 or later. Install on a machine with internet access; the CLI then runs offline.

Quickstart

# Scan a directory — prints findings JSON to stdout
quantasyte scan ./path/to/your-repo

# Write findings to a file instead
quantasyte scan ./your-repo --output findings.json

# Machine-readable mode (no end-of-run prompt)
quantasyte scan ./your-repo --json

Output format is a stable, versioned JSON schema (quantasyte-cli-findings/v1) with summary counts + findings array. Easily piped into other tools.

What it detects

  • Post-quantum vulnerable cryptography: RSA, ECDSA, ECDH, DH, named-curve elliptic crypto (P-256, secp256k1), JWT RS256, library-mediated quantum-vulnerable handshake
  • Weak / deprecated primitives: MD5, SHA-1, 3DES, DES, RC4
  • TLS misconfiguration: TLS 1.0 / 1.1 minVersion settings
  • Hardcoded secrets: API keys, AWS access keys, GitHub tokens, GCP service account keys, private key blocks

Across JavaScript, TypeScript, Go, Java, Python, Ruby, PHP, C#, C++.

Optional: connect to the cloud (free)

The Quantasyte CLI is Apache 2.0 forever and complete by itself. If you want continuous monitoring without remembering to run the CLI manually, you can connect a free cloud account to get:

  • Continuous monitoring on push to 1 connected GitHub repo
  • Email alerts on critical findings (leaked credentials, hardcoded tokens)
  • Compliance headline showing how your code maps to NIST IR 8547, DORA Article 16, FDA Cyber, NSA CNSA 2.0, FedRAMP PQ, NYDFS Part 500
  • Quantum readiness PDF for your CISO / auditor
  • 30-day scan history
quantasyte signup
# Or visit https://quantasyte.com/signup

Paid tiers (multi-repo, PR comments, full per-requirement breakdown, CycloneDX CBOM export, Vanta + Drata integrations) will launch when we exit beta. Need any of those today? Email [email protected] — payments aren't wired during beta. See pricing for the planned tiers.

Run on every commit (pre-commit hook)

Add Quantasyte to your pre-commit pipeline so leaked secrets and weak crypto get caught before they reach git history. Pick the option that matches your stack — both block the commit when any critical finding appears.

husky + a tiny shell script

# 1. install husky if you haven't already
npx husky init

# 2. write the hook
cat > .husky/pre-commit <<'EOF'
#!/usr/bin/env sh
findings=$(npx --no-install quantasyte scan . --json --no-prompt)
critical=$(echo "$findings" | grep -o '"severity":"critical"' | wc -l)
if [ "$critical" -gt 0 ]; then
  echo "✘ Quantasyte: $critical critical finding(s) — commit blocked."
  echo "$findings" | npx -p jq jq '.findings[] | select(.severity=="critical") | "\(.title) — \(.filePath):\(.lineNumber)"'
  exit 1
fi
EOF
chmod +x .husky/pre-commit

lefthook config

# lefthook.yml
pre-commit:
  commands:
    quantasyte:
      run: npx --no-install quantasyte scan . --json --no-prompt | jq -e '.summary.bySeverity.critical // 0 | . == 0'
      fail_text: "Quantasyte found a critical issue. Run `quantasyte scan .` for details."

Both options run locally and never phone home. Tweak the threshold (criticalcritical|high) if you want stricter gating.

Frequently-asked security questions

"Does the CLI ever phone home?" No. The default scan command (quantasyte scan) makes zero network requests. Verify with tcpdump, Little Snitch, or your firewall logs.

"What's in the cloud-mode payload?" Findings metadata only: file paths (relative to the repo root), line numbers, rule subtypes, severity, finding count. No source code lines, no code snippets, no file contents. The exact wire format is in the open-source CLI source.

"Can we self-host the cloud component?" Enterprise tier supports air-gapped / on-prem deployment of both the CLI and the dashboard. Cloud-free and Watch tiers use our hosted cloud.

"What license?" Apache 2.0 + explicit patent grant. Compatible with proprietary use, commercial use, modification, redistribution. The patent grant covers Quantasyte's US patent on channel-decoupled hybrid handshake architecture.

"How do we verify the npm package?" The package is published with npm provenance attestations (npm v9+). Source-of-record is https://github.com/mzon7/quantasyte-cli. Compare the published bundle hash against the GitHub release tag.

License

Apache 2.0. See LICENSE.

Patent grant: this software is covered by an explicit patent grant from Quantasyte, Inc. for use of the included implementation.