npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@seqra/opentaint-viewer

v0.1.1

Published

In-browser, VS Code–style viewer for OpenTaint taint-analysis (SARIF) results — generate a self-contained, offline HTML report from a CLI.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

seqradevseqradev

Keywords

opentaintsariftaint-analysissastsecurityviewercli

Readme

Why

  • Trace taint end to end. A Monaco editor highlights the flow in blue and the dangerous call in red; step through it from untrusted input to dangerous call, with cross-file hops switching the active file for you.
  • Findings and rules, side by side. VS Code–style trees group findings by directory and list the ruleset; open a finding to read the rule that fired — markdown description, CWE tags, severity, and ordered taint steps.
  • Offline, single file. Export one self-contained index.html — JS, CSS, fonts, and Monaco all inlined. No server, no network. Share it as-is.

Quick Start

Generate a report from an OpenTaint SARIF — no install required (npx fetches the CLI on demand):

# Open the report in your browser
npx @seqra/opentaint-viewer serve --sarif results.sarif

# Or write a self-contained, offline HTML file
npx @seqra/opentaint-viewer export --sarif results.sarif --out report.html

Prefer a global command? npm install -g @seqra/opentaint-viewer, then run opentaint-viewer serve --sarif results.sarif.

The builtin ruleset is found next to the opentaint engine binary on your PATH, and the source root is read from the SARIF — so the common case needs only --sarif. No SARIF yet? Run OpenTaint to produce one.

Add --rules ./my-rules to show your project's custom rules alongside the builtin set.

| Option | Default | Meaning | | --- | --- | --- | | --sarif <file> | — (required) | SARIF report. | | --src <dir> | SARIF %SRCROOT%, else the SARIF's directory | Source root. | | --builtin-rules <dir> | ../lib/rules next to the opentaint binary on PATH, else next to the CLI | Builtin ruleset directory (the engine's shipped rules). | | --rules <dir> | — (optional) | Your project's custom rules; shown under "Custom" and linked from findings. Custom wins on an id collision with a builtin rule. A rule in neither set still renders, marked "definition not available". | | --name <id> | basename of the source root | Project name in the UI. | | --port <n> (serve) | 5151 | Listen port. | | --no-open (serve) | — | Don't auto-open the browser. | | --out <file> (export) | opentaint-report.html | Output HTML path. |

Run the engine only through Docker? Extract its ruleset once and pass --builtin-rules ./rules — see the OpenTaint quick-start for the Docker invocation.

Try the demo

Have OpenTaint installed? Scan the seqra/java-spring-demo project and open the report — npx fetches the viewer, nothing to install:

git clone https://github.com/seqra/java-spring-demo
opentaint scan --output java-spring-demo/results.sarif java-spring-demo

# Open it in the browser
npx @seqra/opentaint-viewer serve --sarif java-spring-demo/results.sarif
# Or write a shareable offline file
npx @seqra/opentaint-viewer export --sarif java-spring-demo/results.sarif --out report.html

Just want to preview the UI? The repo commits a demo data/content.json13 findings (Template Injection, SSRF, XSS) over 47 rules — rendered by the dev server: npm install && npm run dev.

The viewer is a generic React app that renders one committed data/content.json. The CLI above is the easy path; this build-from-scratch flow regenerates the committed demo and works for any project:

npm install
npm run gen -- \
  --sarif your-project/results.sarif \
  --src   your-project/src \
  --rules "$(dirname "$(command -v opentaint)")/../lib/rules" \
  --name  your-project
npm run build:single   # writes a self-contained dist-single/index.html; use npm run build for a hosted dist/ build

In this legacy npm run gen workflow, --rules is the builtin ruleset — it predates the CLI's flag split (--builtin-rules builtin, --rules custom). If your SARIF artifactLocation.uri values aren't relative to the parent of --src, pass --root <dir>.

| Script | What it does | | --- | --- | | npm run dev | Vite dev server with HMR. | | npm run cli | Run the CLI from source via tsx (npm run cli -- export --sarif results.sarif --out report.html). | | npm run gen | Generate data/content.json from a SARIF + source + rules. | | npm run build:single | Build a single self-contained offline index.html into dist-single/. | | npm run build | Type-check (tsc --noEmit) and build the hosted site to dist/. | | npm run build:dist | Build the shippable CLI bundle + template into dist-cli/. | | npm test / npm run coverage | Vitest unit/component tests (+ V8 coverage). | | npm run e2e | Playwright end-to-end tests. |

Stack: React 18, TypeScript, Vite, Monaco Editor, Zustand, react-resizable-panels, Lucide, JetBrains Mono. The viewer is fully static — it loads one bundled data/content.json (shape in src/types/content.ts) into a Zustand store and renders everything from it; no backend, no network calls for analysis. CI (ci.yml) runs the build, coverage, and Playwright suite on every push and PR.

Learn more

License

MIT