npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@v12sh/cli

v0.3.6

Published

command-line client for the v12 public REST API

Readme

v12 CLI

Command-line client for the v12 public REST API — start security audits, watch runs, and triage findings without leaving the terminal.

Install

npm install -g @v12sh/cli
# or run it ad hoc
npx @v12sh/cli --help

Requires Node 20.19+ (Bun works too).

Authenticate

Create a personal access token at v12.sh under Settings → Developer, then:

v12 auth login    # paste the token when prompted; validated before saving
v12 auth status   # where credentials come from and whether they work

The token is stored in ~/.config/v12/config.json. Two environment variables override it:

| Variable | Effect | |---|---| | V12_API_TOKEN | Use this token instead of the stored one (CI-friendly) | | V12_API_URL | Point the CLI at a different deployment |

Usage

v12 me                                      # account, org, credit balance, scopes
v12 repos --search engine                   # list repositories

v12 runs estimate --repo owner/name         # quote: scope files + cost, no run created
v12 runs estimate --zip ./src.zip           # uploads, quotes, prints a --zip-uid for reuse

v12 runs create --name "audit" --repo owner/name --branch main
v12 runs create --name "audit" --zip ./src.zip --paths contracts/
v12 runs create -y --name "audit" --zip-uid 87 # reuse the upload from a prior estimate

# Diff reviews — quote and audit a change instead of the full target:
v12 runs estimate --repo owner/name --from-ref main --to-ref feature
v12 runs create --name "pr review" --repo owner/name --from-ref main --to-ref feature
v12 runs create --name "patch review" --repo owner/name --from-ref main --patch ./fix.patch
v12 runs create --name "zip diff" --zip-uid 87 --patch-uid <uuid>   # reuse a quoted patch
v12 runs list
v12 runs watch 42                           # poll until completed/failed
v12 runs report 42 --markdown
v12 runs cancel 42
v12 runs share 42 --email [email protected]

v12 findings list 42 --severity critical --severity high
v12 findings get 42 7
v12 findings update 42 7 --validity acknowledged --reason "tracked in JIRA-123"
v12 findings fix 42 7
v12 findings poc 42 7
v12 findings comment 42 7 -m "false positive, see thread"

runs create shows the resolved scope (every file the audit will cover) and the quoted cost, then asks for confirmation before creating the run. GitHub creates are pinned to the sha the quote was computed for.

Scripting

runs create is interactive: it shows the resolved scope (every file the audit will cover) and the quoted cost, then asks for confirmation before creating the run. GitHub creates are pinned to the sha the quote was computed for, and a --patch quoted during confirmation is created via its stored patchUid so the run reviews the byte-identical patch. Use -y/--yes, --json, or non-TTY stdin to create directly without prompting.

Diff reviews take --from-ref plus one change source: --to-ref (GitHub only), --patch <file>, or --patch-uid <uuid> from a prior estimate. Zip diff reviews use --patch or --patch-uid without refs. Diff reviews cannot be combined with --branch/--sha.

  • Every command accepts --json for machine-readable output.
  • With -y/--yes, --json, or non-TTY stdin, runs create skips the confirmation prompt.
  • v12 runs watch exits 0 when the run completes and non-zero when it fails or is cancelled — usable directly as a CI gate.