npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@rsuthar/state-guard-js

v1.1.0

Published

Proactive DOM attribute protection library.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

rsutharrsuthar

Keywords

dom-protectionsecuritymutation-observertamper-protectionui-securityjavascript-securityreact-securityangular-securitystate-guardclient-side-security

Readme

🛡️ StateGuard.js

npm version license npm downloads

Keywords: dom-protection, security, mutation-observer, tamper-protection, ui-security, javascript-security, react-security, angular-security, state-guard, client-side-security

Website: StateGuard.js

Stop users from messing with your UI logic via the console.

StateGuard.js is a lightweight utility that locks DOM element attributes. If a user tries to remove a disabled attribute, change a class, or inject an onclick event via DevTools, StateGuard detects it and reverts the change in milliseconds.

🚀 Key Features

  • Zero-Latency Reversion: Uses MutationObserver for near-instant attribute restoration.
  • Security Thresholds: Detects and reports repeated tampering attempts.
  • Multi-Framework Support: Specialized hooks for React and Directives for Angular.
  • Small Footprint: Under 2KB minified.

Core Concepts

Snapshotting: The library takes a "Source of Truth" snapshot of an element's attributes upon initialization.

The Guard: A MutationObserver watches the element 24/7. If an attribute is changed manually, it is instantly reverted to the snapshot.

Programmatic Gateway: Authorized changes must pass through the .update() method, which temporarily unlocks the element and updates the snapshot.

Installation

CDN

Include the minified version of StateGuard.js via CDN:

<script src="https://cdn.jsdelivr.net/npm/@rsuthar/state-guard-js/dist/state-guard.min.js"></script>

NPM

Install the package via npm:

npm install @rsuthar/state-guard-js

Yarn

yarn add @rsuthar/state-guard-js

PNPM

pnpm add @rsuthar/state-guard-js

API Reference

StateGuard.protect(selector, options) Initializes protection on one or more elements.

|Property|Type|Default|Description| |---|---|---|---| |selector|string|Required|"CSS selector (e.g., #btn, .admin-fields)."| |attributes|array or string,'all',"List of attributes to protect (e.g., ['class', 'disabled'])."| |maxAttempts|number,3,Number of manual changes allowed before triggering a violation.| |onViolation|function,null,Callback executed when maxAttempts is reached.|

Key Features

  • Persistent State: Automatically reverts any unauthorized attribute changes.
  • Threshold Alerts: Triggers security callbacks after a set number of tamper attempts.
  • Framework Agnostic: Works with Vanilla JS, React, and Angular.
  • Backend Sync: Built-in hooks to report "Hacker" behavior to your servers.

🛠️ Integration Guide

Vanilla JavaScript

Protect any element using standard CSS selectors.

StateGuard.protect('.secure-action', {
    attributes: ['disabled', 'class', 'onclick'],
    maxAttempts: 3,
    onViolation: (el, count) => {
        console.error("Reporting tamper attempt to server...");
        
        // Send the report to your backend
        fetch('/api/security/log-tamper', {
            method: 'POST',
            headers: { 'Content-Type': 'application/json' },
            body: JSON.stringify({
                elementId: el.id || 'unnamed-element',
                elementTag: el.tagName,
                attempts: count,
                timestamp: new Date().toISOString(),
                userAgent: navigator.userAgent
            })
        })
        .then(() => {
            if (count > 5) {
                alert("Security policy violation. This session will be terminated.");
                window.location.href = '/logout';
            }
        });
    }
});

React (Using Hooks)

The hook manages the lifecycle of the observer and ensures it cleans up when the component unmounts.

const { elementRef, safeUpdate } = useStateGuard({ attributes: ['class'] });

// Use safeUpdate to modify the element without triggering the guard
const handleUnlock = () => {
  safeUpdate((el) => el.classList.remove('locked'));
};

Angular (Using Directives)

Apply protection declaratively in your templates.

<button appStateGuard [protectedAttributes]="['disabled']" (violation)="logIt($event)">
  Secure Action
</button>

🔒 Security Hardening Tips

  1. Run the Obfuscator: Always run npm run obfuscate before deploying. This makes it incredibly difficult for attackers to find the "unlock" logic in your source code.
  2. The Debugger Loop: Our production build includes a self-defending loop that triggers a debugger statement if DevTools are opened while the script is running.
  3. Backend Verification:
  • Level 1: StateGuard prevents the button from being enabled.
  • Level 2: Your server verifies if the user actually has the permissions to perform the action associated with that button. Never trust the client alone.

🧪 Testing the Guard

To verify that the protection is active, run the included Jest suite:

npm test

This suite simulates a user attempting to delete attributes via the console and confirms the library restores them within the 100ms threshold.

Release Notes

Here are the official Release Notes for your version 1.0.0 launch. You can paste these directly into the "Releases" section of your GitHub repository.

**🚀 Release v1.0.0: StateGuard.js Initial Launch We are excited to announce the first stable release of StateGuard.js, a proactive security utility designed to harden client-side UI logic and prevent manual DOM tampering.

🌟 Features

  • Persistent Attribute Guard: Uses MutationObserver to instantly revert unauthorized changes to disabled, class, readonly, and more.
  • Framework First: Includes native support for React (hooks) and Angular (directives).
  • Security Thresholds: Customizable maxAttempts logic to detect and log repeated tampering behavior.
  • Automated Pipeline: Integrated GitHub Actions for automated testing and JavaScript Obfuscation.
  • Reporting Hook: Seamless onViolation callback for backend integration and audit logging.

📦 Installation Download the dist/state-guard.obf.js for production.

Initialize with StateGuard.protect(selector, options).

🛡️ Best Practices for this Version Obfuscate always: Never use the src/ files in a public production environment.

Update Gateway: Always use the .update() or safeUpdate methods to modify protected elements programmatically to avoid "infinite revert" loops.

Next Steps for You

  1. Initialize the project: Run npm init -y in your folder and paste the package.json content.
  2. Install dependencies: Run npm install.
  3. Build: Run npm run build to generate your minified file.

Would you like me to help you write a sample GitHub Action script so that this library is automatically tested and obfuscated every time you push code to your repository?