@tomi_tom/packward
v0.2.0
Published
Audit what `npm publish` would actually ship — catch leaked .env/secrets and broken entry points before you publish.
Downloads
285
Maintainers
Readme
packward
Audit what npm publish would actually ship — before you ship it. Catch leaked .env/secrets and broken entry points.
npm pack --dry-run lists the files. publint checks your exports resolve. Neither tells you that you're about to publish your .env, a private key, or a main that points to a file you don't ship. packward does.
npx packward packward [email protected] · 5 file(s) · 1 kB
error .env ships .env — environment files usually hold secrets (secret-file)
error dist/index.js contains a possible API secret key (secret-content)
error lib/index.js "main" points to lib/index.js, which is NOT in the published files (broken-entry)
error secrets/server.key looks like a private key / credential (key-file)
warning no README in the package (no-readme)
4 errors, 1 warningExit code 1 on any error → drop it into prepublishOnly or a pre-push hook.
What it catches
Leaks (errors)
.env/.env.production/.env.distand other environment files.npmrc,.git-credentials,.netrc,.ssh/.aws/.gnupgdirectories- private keys & credentials (
*.pem,*.key,id_rsa, …) - secret content — AWS keys, private-key blocks, GitHub/Slack/OpenAI tokens, npm auth tokens and hardcoded
apiKey = "…"inside shipped files
Broken packages (errors)
main/module/types/bin/exportspointing at a file that won't be published
Hygiene (warnings)
- no README, no LICENSE
- shipped tests, source maps, dev configs, editor/CI files
- no
fileswhitelist and no.npmignore— publishing by default-include, the #1 cause of accidental leaks
How it works
packward runs npm pack --dry-run --json --ignore-scripts to get the exact file list npm would publish (no re-implementing the files/.npmignore/.gitignore rules), then audits that list. --ignore-scripts means auditing a package never runs its prepack/prepare scripts — safe on untrusted code.
Usage
packward [dir] # audit the package in <dir> (default: cwd)
--json # machine-readable output
--no-fail # report only, always exit 0prepublishOnly guard
{ "scripts": { "prepublishOnly": "packward" } }Develop
pnpm install
pnpm test # vitest — the auditor + secret scanner
pnpm typecheck
pnpm build # → dist/The auditor (src/audit.ts) and secret scanner (src/secrets.ts) are pure, fully unit-tested; src/pack.ts is the thin npm integration.
Free vs Pro
- Free — the full auditor: secret/leak detection, broken entry points, hygiene warnings, exit codes.
- Pro (planned) — a GitHub Action, an allow/deny rule config, organization secret-pattern packs, and SARIF output.
License
MIT
