npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@sparky123/vibecheck

v0.3.0

Published

A TypeScript CLI tool to scan codebases for security issues and best practice violations

Downloads

51

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sparky123sparky123

Keywords

clisecurityscannertypescriptvibecheck

Readme

VibeCheck

A security scanner for modern web applications that helps developers identify common security issues, especially in Next.js, Supabase, and AI-integrated applications.

Features

VibeCheck currently checks for:

  • Next.js Environment Variables: Detects sensitive data exposed in NEXT_PUBLIC_ environment variables
  • API Key Exposure: Finds hardcoded API keys from various services (OpenAI, Supabase, AWS, etc.)
  • Supabase Row Level Security: Identifies tables missing RLS or with insecure public policies
  • API Rate Limiting: Detects API routes without proper rate limiting
  • JWT Insecure Storage: Finds JWT tokens stored insecurely in localStorage or sessionStorage
  • CORS Misconfigurations: Identifies insecure CORS settings that could lead to cross-origin attacks
  • AI Cost Controls: Detects missing controls for AI APIs that could lead to unexpected costs

Installation

# Install globally
npm install -g @sparky123/vibecheck

# Or run with npx
npx @sparky123/vibecheck

Quick Start

# Go to your project directory
cd your-project

# Run the security scan
vibecheck scan .

Usage

# Scan the current directory
vibecheck

# Scan a specific directory
vibecheck scan /path/to/your/project

# Skip specific checkers
vibecheck scan --skip api-key-checker rate-limit-checker

# Generate a detailed report
vibecheck scan --output vibecheck-report.md

Options

  • --verbose: Show detailed output
  • --output <file>: Save the report to a file
  • --format <format>: Report format (markdown, json, text)
  • --ignore <patterns...>: Glob patterns to ignore
  • --skip <checkers...>: Checkers to skip
  • --no-passed: Hide passed checks in the report

Security Checkers

Next.js Public Environment Variable Checker

The next-public-env-checker scans for sensitive data in environment variables with the NEXT_PUBLIC_ prefix. These variables are included in the client-side bundle and are visible to anyone who views your website.

Issues Detected:

  • API keys exposed in public environment variables
  • Authentication secrets visible in the client-side code
  • Sensitive configuration accessible in frontend code

Recommendation:

Move sensitive data to server-side environment variables (without the NEXT_PUBLIC_ prefix) and access them via API routes or server components.

API Key Checker

The api-key-checker looks for hardcoded API keys and secrets in your codebase that could be committed to version control.

Issues Detected:

  • OpenAI, Anthropic, and other AI service keys
  • Supabase, Firebase, and other database service keys
  • AWS, Google Cloud, and other infrastructure credentials

Recommendation:

Store API keys in environment variables and use proper secret management.

Supabase RLS Checker

The supabase-rls-checker analyzes your SQL files to ensure Row Level Security is properly configured.

Issues Detected:

  • Tables without RLS enabled
  • Public policies that grant unrestricted access
  • Missing access controls for sensitive data

Recommendation:

Enable RLS for all tables and create proper access policies.

API Rate Limiting Checker

The rate-limit-checker identifies API routes missing rate limiting protection.

Issues Detected:

  • Endpoints vulnerable to abuse and DoS attacks
  • No protection against brute force attacks
  • Missing throttling for expensive operations

Recommendation:

Implement rate limiting with libraries like rate-limiter-flexible or @upstash/ratelimit.

Configuration

VibeCheck can be configured using a configuration file. The following file formats are supported:

  • vibecheck.config.js (JavaScript)
  • vibecheck.config.json (JSON)
  • .vibecheckrc (JSON)
  • .vibecheckrc.json (JSON)
  • .vibecheckrc.js (JavaScript)

You can generate a basic configuration file using:

npx vibecheck init

Or with specific configurations:

npx vibecheck init --type next

Available config types:

  • basic - Basic recommended settings
  • strict - More strict security settings
  • next - Settings optimized for Next.js projects
  • supabase - Settings optimized for Supabase projects

Configuration Options

{
  "extends": "vibecheck:recommended", // Extend a built-in config
  "ignorePatterns": [ // Glob patterns to ignore
    "**/node_modules/**", 
    "**/dist/**", 
    "**/build/**"
  ],
  "skipCheckers": [ // Checkers to skip
    "api-key-checker"
  ],
  "severityOverrides": [ // Override severity for specific issues
    { 
      "id": "jwt-storage-checker", 
      "severity": "critical" 
    }
  ],
  "ignoreIssues": [ // IDs of specific issues to ignore
    "specific-issue-id"
  ],
  "reportOptions": { // Options for reports
    "format": "html",
    "showPassed": false
  },
  "checkerOptions": { // Options for specific checkers
    "nextJs": {
      "checkPublicEnv": true
    },
    "supabase": {
      "checkRls": true
    },
    "apiKey": {
      "additionalPatterns": [
        {
          "service": "Custom API",
          "pattern": "custom-[a-z0-9]{32}",
          "recommendation": "Store custom API keys in environment variables"
        }
      ]
    }
  }
}

Built-in Configurations

VibeCheck comes with several built-in configurations:

  • vibecheck:recommended - Default recommended settings
  • vibecheck:strict - More strict security settings
  • vibecheck:next - Settings optimized for Next.js projects
  • vibecheck:supabase - Settings optimized for Supabase projects

You can extend these in your configuration:

{
  "extends": "vibecheck:recommended",
  "ignorePatterns": ["**/my-specific-pattern/**"]
}

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.