npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@quickback-dev/cli

v0.10.16

Published

CLI for Quickback — define your backend in TypeScript, compile to a fully wired Cloudflare Worker (or Bun / Node) with auth, database, migrations, security, CMS, and Account UI.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

quickback-dev-paulquickback-dev-paul

Keywords

quickbackclicode-generatorbackendcompilercloudflare-workerscloudflare-d1drizzledrizzle-ormhonobetter-authtypescriptscaffolding

Readme

@quickback-dev/cli

The Quickback CLI — a thin client for the Quickback compiler. Define your backend in TypeScript, run quickback compile, and ship a fully wired Cloudflare Worker (or Bun / Node) project with auth, database, migrations, security pillars, CMS, and Account UI already generated.

npm i -g @quickback-dev/cli
quickback create cloudflare my-app
cd my-app
quickback compile

Full docs: docs.quickback.dev

Commands

| Command | What it does | |---|---| | quickback create <template> <name> | Scaffold a new project from a Quickback template (e.g. cloudflare, bun, nextjs) | | quickback compile | Compile your quickback/quickback.config.ts + feature definitions into a generated project. Writes src/, wrangler.toml, quickback/drizzle/..., etc. | | quickback example [name] | Extract a pre-compiled example project (e.g. recruitment) into the current directory | | quickback init | Initialize the quickback/ folder structure in an existing project | | quickback login | Authenticate against api.quickback.dev (device flow, opens browser) | | quickback logout | Clear stored credentials | | quickback whoami | Show the currently authenticated account | | quickback mcp | Start a stdio MCP server exposing Quickback docs to AI tools (Claude Desktop, Cursor, etc.) | | quickback claude / cursor | Install Quickback's bundled skill / rules into Claude Code or Cursor |

Project layout

my-app/
├── quickback/
│   ├── quickback.config.ts       # providers (cloudflare-d1, better-auth, …), CMS, account, etc.
│   ├── definitions/
│   │   ├── features/<table>/     # schema.ts (Drizzle), resource config (firewall/access/guards/masking)
│   │   └── services/             # queues, realtime, embeddings
│   └── drizzle/                  # migration SQL + meta (compiler-owned, commit this)
├── src/                          # generated runtime — overwritten on every compile
├── wrangler.toml                 # generated
└── package.json

Configuration

| Env var | Purpose | Default | |---|---|---| | QUICKBACK_API_URL | Compiler endpoint | https://compiler.quickback.dev | | QUICKBACK_API_KEY | Skip device-flow login (CI) | — |

Requirements

  • Node.js ≥ 18
  • wrangler (peer requirement only when deploying the generated Cloudflare Worker)

Security & Supply Chain

If you're using a supply-chain scanner (Socket, Snyk, Sonatype, etc.) you may see findings on this package. We're a small team that takes security seriously — here's what each finding actually is, and why it's there.

"Network access" (8 transitive packages)

The CLI itself makes exactly two outbound requests, both to our own subdomains and both gated behind environment-variable overrides:

  • https://compiler.quickback.dev — the compile API (POST /compile, GET /templates, GET /health). Source: src/lib/api-client.ts.
  • https://api.quickback.dev — auth/device-flow login. Source: src/commands/login.ts.

The other 6 transitive packages flagged here (eventsource, eventsource-parser, jose, pkce-challenge, body-parser, proxy-addr) come from the optional MCP SDK transports — see MCP SDK, below.

"Shell access" (2 packages)

cross-spawn and which/isexe, both transitive of @modelcontextprotocol/sdk. The CLI's own shell-out is in src/lib/shell.ts — used to run post-compile commands the compiler returns (e.g. drizzle-kit generate, npm install). Commands are not user-input-derived; they come from the trusted compile API response and run in your project directory.

"Install scripts" (1 package)

esbuild. esbuild ships a platform-specific native binary that's downloaded by its install script. We use esbuild to parse your quickback.config.ts and feature definitions — it's a hard requirement of the CLI. esbuild is one of the most-downloaded packages on npm and is published by the Vercel team.

"Uses eval" (5 transitive packages)

ajv, kleur, qs, pkce-challenge, and one more — none authored by us, none invoked from CLI code. ajv (JSON schema) compiles validators via new Function(), which scanners flag as eval-equivalent. All are transitive of @modelcontextprotocol/sdk.

"AI-detected possible typosquat: parseuri"

False positive. The flagged package is parseurl — a 12-year-old Express middleware (~50M weekly downloads), pulled in via the MCP SDK's HTTP transport. Not a typosquat of parseuri; the names just rhyme.

Why MCP SDK is a hard dependency

@modelcontextprotocol/sdk powers the quickback mcp command — a stdio MCP server that lets Claude Desktop / Cursor / Windsurf read Quickback's documentation as context. We made it a hard dep (rather than a peer dep) so that quickback mcp Just Works after a single npm i -g, no second install step. The SDK is loaded via dynamic import(), so its code never executes unless you actually run quickback mcp.

The trade-off: even users who never run mcp get its transitive packages in their install tree. We think the UX win is worth it; if you're scanning aggressively and would rather we move it to optional peers, open an issue.

URL strings in the bundle

Most of the URLs Socket finds are inside src/docs/content.ts (a JSON dump of the marketing docs we ship for the quickback help and quickback mcp commands) and src/skill/SKILL.md (the Claude Code skill). They're documentation references — never fetched by the CLI.

License

MIT © Kardoe Incorporated

Links