npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@rntpkgs/dep-guardian

v0.1.6

Published

Automated npm security fixer — fixes Dependabot, CodeQL, Secret Scanning vulnerabilities with real dependency updates

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

rnataoliveirarnataoliveira

Keywords

securitydependabotcodeqlnpm-auditclidependencyvulnerabilityfix

Readme

@rntpkgs/dep-guardian

Automated security fixer for npm projects. Reads Dependabot, CodeQL, Secret Scanning, and npm audit alerts from GitHub and applies real dependency fixes — updating package.json properly, validating the result, and opening a pull request.

Why

Most security tools tell you what is wrong. This one fixes it.

The key difference from tools that add overrides or resolutions to package.json: dep-guardian traces each vulnerable package to the direct dependency that pulls it in and updates that dependency to a version that ships a safe transitive. If no such version exists, it tells you. If the fix requires a major version bump, it opens a GitHub Issue with the changelog and migration guide instead of silently breaking your app.

Install

npm install -g @rntpkgs/dep-guardian

Requires Node.js >= 20 and a GitHub token with the following permissions:

  • security_events: read (Dependabot, CodeQL, Secret Scanning)
  • contents: write (push fix branch)
  • pull_requests: write (open PR)
  • issues: write (open major bump issues)
export GITHUB_TOKEN=ghp_...
# or
export GH_TOKEN=ghp_...
# or: install the GitHub CLI and run `gh auth login`

Commands

dg scan

Read-only audit. Shows every open vulnerability and what dep-guardian would do about it.

dg scan owner/repo
dg scan owner/repo --source dependabot,npm-audit
dg scan owner/repo --json > report.json

Output:

dep-guardian scan — owner/repo

Vulnerability Summary
   HIGH    3
   MEDIUM  1

   HIGH  qs
    Prototype Pollution in qs
    fix: ^6.5.2 → ^6.11.0 (transitive via express)
    ✔ auto-fixable

   HIGH  semver
    Regular Expression Denial of Service in semver
    fix: ^7.3.5 → ^7.5.2
    ✔ auto-fixable

   HIGH  next
    Next.js authorization bypass
    fix: ^13.0.0 → ^14.2.30
    ⚠ major bump (issue)

Run dep-guardian fix to auto-fix 2 vulnerabilities (1 major bump will create a GitHub issue)

dg fix

Applies minor/patch fixes, validates with lint/typecheck/build/test, and opens a pull request. Creates GitHub Issues for major bumps.

dg fix owner/repo

# Options
dg fix owner/repo --dry-run               # plan only, no file changes or PRs
dg fix owner/repo --path ./local-checkout # use a local clone instead of cloning fresh
dg fix owner/repo --no-validate           # skip lint/build/test after fix
dg fix owner/repo --major-mode skip       # ignore major bumps entirely
dg fix owner/repo --major-mode pr         # open a PR for major bumps instead of an issue
dg fix owner/repo --protected react,next  # never auto-fix these packages
dg fix owner/repo --base develop          # target branch for PRs

The fix process:

  1. Fetches all open alerts (Dependabot + CodeQL + Secret Scanning + npm audit)
  2. Deduplicates across sources — takes the most conservative patched version
  3. Builds the full dependency graph from package-lock.json
  4. For each vulnerable package:
    • If it is a direct dependency → bumps it in package.json
    • If it is transitive → finds the direct ancestor and bumps that to a version shipping a safe transitive
    • If the fix requires a major bump → creates a GitHub Issue instead
  5. Runs npm install
  6. Verifies the vulnerable version is no longer present
  7. Rolls back package.json if verification fails
  8. Runs lint → typecheck → build → test (auto-detected from your package.json scripts)
  9. Commits, pushes a branch, opens a PR

dg status

Security health dashboard for a repository.

dg status owner/repo
dg status owner/repo --json

Output:

Security Status — owner/repo
Overall: AT RISK

Dependabot Alerts
  critical ░░░░░░░░░░░░░░░░░░░░ 0
  high     ████████████░░░░░░░░ 3
  medium   ████░░░░░░░░░░░░░░░░ 1
  low      ░░░░░░░░░░░░░░░░░░░░ 0

Other Findings
  CodeQL findings:  2
  Exposed secrets:  0

dg init

Scaffolds a config file and a GitHub Actions workflow into the current project.

cd my-project
dg init

Creates:

  • dep-guardian.config.json — config file, edit the repo field
  • .github/workflows/dep-guardian.yml — runs every Monday, also manually triggerable

Configuration

Drop a dep-guardian.config.json in your project root to avoid passing flags every time:

{
  "repo": "owner/repo",
  "baseBranch": "main",
  "sources": ["dependabot", "codeql", "npm-audit", "secret-scanning"],
  "majorBumpMode": "issue",
  "validate": ["lint", "typecheck", "build", "test"],
  "scripts": {
    "lint": "npm run lint:ci",
    "test": "npm run test:unit"
  },
  "protected": ["react", "react-dom", "next"],
  "maxAlerts": 50
}

| Field | Default | Description | |---|---|---| | repo | inferred from git remote | owner/repo | | baseBranch | main | Base branch for PRs | | sources | all four | Alert sources to check | | majorBumpMode | issue | issue, pr, or skip | | validate | all four | Steps to run after fixing | | scripts | auto-detected | Override auto-detected npm scripts | | protected | [] | Packages to never auto-fix | | maxAlerts | unlimited | Cap alerts processed per run |

GitHub Action

Use dep-guardian as a GitHub Action in any repository:

name: dep-guardian

on:
  schedule:
    - cron: '0 9 * * 1'   # every Monday at 09:00 UTC
  workflow_dispatch:

permissions:
  contents: write
  pull-requests: write
  issues: write
  security-events: read

jobs:
  dep-guardian:
    runs-on: ubuntu-latest
    env:
      FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-node@v4
        with:
          node-version: '24'
          cache: 'npm'

      - run: npm ci

      - name: Configure git
        run: |
          git config user.name "dep-guardian[bot]"
          git config user.email "dep-guardian[bot]@users.noreply.github.com"

      - uses: rnataoliveira/deb-guardian@main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          major-bump-mode: issue

Or run dg init to generate this automatically.

Action inputs

| Input | Default | Description | |---|---|---| | github-token | required | GitHub token | | dry-run | false | Plan only, no changes | | major-bump-mode | issue | issue, pr, or skip | | sources | all four | Comma-separated alert sources | | validate | all four | Comma-separated validation steps | | protected | `` | Comma-separated packages to never auto-fix | | base-branch | repo default | Base branch for PRs |

Action outputs

| Output | Description | |---|---| | fixes-applied | Number of vulnerabilities fixed | | pr-url | URL of the created pull request | | issues-created | Comma-separated URLs of issues created for major bumps |

License

MIT