npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@roland.botka/dep-guard

v1.0.0

Published

Guardrail for safe npm dependency updates

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

roland.botkaroland.botka

Keywords

npmdependenciessecuritysupply-chainclidep-guardpackage-managerupdatesscfwnpq

Readme

dep-guard

Guardrail CLI for safer npm dependency management.
dep-guard provides secure workflows for installing, updating, and adding npm dependencies with built-in security checks and time-based safety buffers.

dep-guard is intentionally opinionated: it favors security and explicit decisions over speed and convenience.

This is the first stable (1.0.0) release. Commands and flags are considered stable across 1.x versions.

Quick Start

npm install -g @roland.botka/dep-guard
dep-guard update --dry-run

Key Features

🔒 Security-First

  • Integration with scfw (Supply Chain Firewall)
  • NPQ security checks for every package
  • Time-based safety buffer (default: 7 days)
  • All installs run with --ignore-scripts by default

🎯 Interactive & User-Friendly

  • Interactive package selection (checkboxes)
  • Clear confirmation prompts at every step
  • Dry-run mode to preview updates safely
  • Helpful, actionable error messages

Quality Gates (Optional)

  • Lint, typecheck, test, and build verification
  • Configurable script names
  • Graceful skips for missing scripts

📦 Exact Version Management

  • All installs use --save-exact (no ^ or ~)
  • Reproducible dependency trees
  • Only versions older than the safety buffer are allowed

Commands

dep-guard install

Fresh install of all dependencies from package.json:

  • Uses scfw run npm install --ignore-scripts --before <date>
  • Falls back to npm install with the same flags when --allow-npm-install is used
  • Applies the safety buffer (default: 7 days)
  • Regenerates package-lock.json

dep-guard update

Safe dependency updates with multiple guardrails.

Workflow:

  1. Check for updates via npm-check-updates
  2. Apply safety buffer (exclude versions < 7 days old)
  3. Group updates by Major / Minor / Patch
  4. Interactive selection
  5. NPQ security validation
  6. Secure installation via scfw
  7. Clean reinstall (npm ci --ignore-scripts)
  8. Optional quality checks
  9. Optional build verification

Highlights:

  • Interactive update selection
  • Per-package NPQ validation
  • --dry-run mode (no install, no scfw required)
  • User can cancel at any point (Ctrl+C)

dep-guard add <package>

Add a new dependency with security validation:

  • Resolves user-specified or latest safe version
  • Applies safety buffer (default: 7 days)
  • Detects existing dependencies (update / keep / cancel)
  • NPQ security validation before install
  • Installs with --save-exact
  • Supports dev dependencies via -D
  • One package per invocation

Requirements

  • Node.js >= 24
  • npm
  • scfw (Supply Chain Firewall) — strongly recommended
    • Install via pipx install scfw (recommended) or pip install scfw
    • https://github.com/DataDog/supply-chain-firewall
    • If scfw is not available, use --allow-npm-install to fall back to npm

Security Model

scfw (Supply Chain Firewall)

When available, dep-guard always prefers scfw to:

  • Block known vulnerable packages
  • Detect suspicious behavior
  • Enforce security policies during install

NPQ (Node Package Query)

NPQ checks run before every install:

  • Supply-chain risk signals
  • Package health & maintenance status
  • Provenance verification

Users must explicitly approve risky packages.

Why a Safety Buffer?

Waiting N days (default: 7) protects against:

  • Typosquatting attacks
  • Compromised maintainer accounts
  • Rushed or broken releases
  • Early-stage supply-chain attacks

Usage

dep-guard <command> [options]

Commands

  • install – Fresh install from package.json
  • update – Safe dependency updates
  • add <package> – Securely add a dependency

Options

  • -d, --days <n> – Safety buffer in days (default: 7)
  • --allow-npm-install – Allow npm fallback
  • --dry-run – Preview updates without installing (update only)
  • -D, --save-dev – Add as dev dependency (add only)
  • --lint <script> – Lint script (update only)
  • --typecheck <script> – Typecheck script (update only)
  • --test <script> – Test script (update only)
  • --build <script> – Build script (update only)
  • -v, --version
  • -h, --help

Install / Run

npm install -g @roland.botka/dep-guard

dep-guard install
dep-guard update
dep-guard add vue

Or without installing:

npx @roland.botka/dep-guard update --dry-run

Development

npm run typecheck
npm test
npm run test:coverage

Notes

  • Quality checks are optional and skipped if scripts are missing
  • All installs intentionally use --ignore-scripts by default

License

MIT (see LICENSE)