npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@vibecheck-ai/cli

v25.0.4

Published

VibeCheck CLI — the code intelligence layer for AI-built software. Truth-grounded, runtime-aware, multi-agent. Verifies AI-generated code across 16+ engines: phantom deps, ghost routes, hallucinated APIs, secrets, and runtime drift.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ship-gateship-gate

Keywords

clivibecheckaicode-intelligenceai-built-softwaretruth-groundedruntime-awaremulti-agenthallucinationcode-qualitylinterphantom-dependency

Readme

VibeCheck CLI

The code intelligence layer for AI-built software.

Truth-grounded. Runtime-aware. Multi-agent.

VibeCheck verifies what your AI ships — across 16+ engines, runtime probes, and live truthpack context. Catches phantom dependencies, ghost API routes, fake SDK methods, credential leaks, and silent failures — before they ship.

npm version  Downloads  License: MIT

Why VibeCheck?

Every AI coding tool — Cursor, Copilot, Claude, Windsurf, ChatGPT — produces code that compiles, passes lint, and looks correct. Then it breaks in production.

  fetch('/api/payments/confirm')          →  Endpoint never implemented. 404 in prod.
  catch (err) { }                         →  Error silently swallowed. Data lost.
  { revenue: 99999 }                      →  Hardcoded mock. Dashboard lies to users.
  STRIPE_SECRET_KEY in client bundle      →  Credential leaked to every browser.

Your linter says it's fine. TypeScript says it's fine. PR review says it's fine.

VibeCheck catches what they miss. 16+ detection engines. One command. Zero config.

Quick Start

# Scan your project (no install required)
npx @vibecheck-ai/cli scan .

# Or install globally
npm install -g @vibecheck-ai/cli
vibecheck scan .

# Shorthand alias
vc scan .

That's it. No config files. No API keys. No setup wizard.

API compatibility

When you sign in and use server-backed daily scan limits, the CLI must be a current release (24.x or newer as of this major). The API rejects legacy clients without up-to-date scan metering headers. If you see SCAN_CLIENT_UPGRADE_REQUIRED, run npm i -g @vibecheck-ai/cli@latest (or use npx @vibecheck-ai/cli@latest).

16+ Detection Engines

Every engine is purpose-built for a specific failure mode that traditional tools miss. These map to the engines registered by the CLI FileRunner (workspace engines + baseline registry).

| # | Engine | What it catches | |:---:|:---|:---| | 1 | Undefined env vars | process.env references not backed by your env / truthpack | | 2 | Ghost routes | fetch and client calls to API paths with no handler | | 3 | Phantom dependencies | Imports of packages not declared or not resolvable | | 4 | API hallucinations | SDK or API usage that does not exist for your stack | | 5 | Hardcoded secrets | Keys, tokens, and passwords committed to source | | 6 | Security vulnerabilities | Injection, XSS, SSRF, weak crypto, and related OWASP-style issues | | 7 | Fake features | Placeholder flags, empty handlers, mock data in prod paths | | 8 | Version mismatches | APIs used in ways incompatible with installed package versions | | 9 | Logic gaps | Contradictory or impossible control flow | | 10 | Error-handling gaps | Swallowed errors, risky try/catch shape, unchecked async results | | 11 | Incomplete implementation | Stubs, empty bodies, and unfinished paths | | 12 | Type contracts | Types asserted vs actual JSON/API shape mismatches | | 13 | Security patterns | Unprotected routes, CSRF, JWT misuse, redirects, CSP gaps | | 14 | Performance anti-patterns | N+1 queries, sync I/O in async paths, fetch-in-render, and similar |

Commands

vibecheck scan

Scan a file or directory for all findings.

vibecheck scan .
vibecheck scan src/
vibecheck scan src/api.ts

| Flag | Default | Description | |:---|:---:|:---| | --json | — | Output findings as JSON | | --no-color | — | Disable ANSI color output | | --threshold <n> | 75 | Minimum confidence to include a finding (0–100) |

  VibeCheck Scan
  3 files · 5 findings · 412ms

  ──────────────────────────────────────────────────────

  src/lib/payments.ts
  ──────────────────────────────────────────────────────
  ✗  CRIT  CRED001  line 12   Stripe live secret key hardcoded
     Move to process.env.STRIPE_SECRET_KEY

  ✗  HIGH  SEC001   line 34   SQL injection: template literal in query
     Use parameterized queries

  src/api/routes.ts
  ──────────────────────────────────────────────────────
  ✗  CRIT  GRT001   line 8    Ghost route: /api/payments/confirm has no handler
     Closest match: /api/payment/confirm (did you mean this?)

  ──────────────────────────────────────────────────────
  5 findings  ·  2 critical  ·  2 high  ·  1 medium
{
  "findings": [
    {
      "id": "...",
      "engine": "credentials",
      "severity": "critical",
      "ruleId": "CRED001",
      "file": "src/lib/payments.ts",
      "line": 12,
      "message": "Stripe live secret key hardcoded",
      "evidence": "const key = 'sk_live_abc123...'",
      "suggestion": "Move to process.env.STRIPE_SECRET_KEY",
      "confidence": 0.99
    }
  ],
  "meta": {
    "filesScanned": 3,
    "totalFindings": 5,
    "durationMs": 412
  }
}

vibecheck score

Compute a 0–100 trust score with letter grade and ship/no-ship verdict.

vibecheck score .
vibecheck score src/ --json

| Flag | Default | Description | |:---|:---:|:---| | --json | — | Output score as JSON | | --no-color | — | Disable color |

  VibeCheck Trust Score
  3 files · 5 findings · 412ms

  [██████████████████░░░░░░░░░░░░]  72/100 (C)

  Verdict    REVIEW
  Mixed reliability. Manual review recommended before shipping.

  Findings   2 critical · 2 high · 1 other

  ────────────────────────────────────────────────────────

  Dimensions

    API Integrity         [████████████████░░░░]  80
    Dependency Safety     [██████████████░░░░░░]  70
    Env Coverage          [████████████████████]  100
    Contract Health       [████████████░░░░░░░░]  60

  ────────────────────────────────────────────────────────

  Score Reducers (3 total)

     -15  1 critical Hardcoded Secrets finding — blocks shipping (CRED001)
      -8  1 high Security Vulnerabilities finding (SEC001)
      -5  1 high Ghost Routes finding (GRT001)

  ────────────────────────────────────────────────────────
  ▲ Run vibecheck scan to review flagged issues before shipping.

vibecheck guard

CI gatekeeper. Scan and exit with code 1 if the trust score is below threshold or critical findings exist.

vibecheck guard .
vibecheck guard . --threshold 80
vibecheck guard . --fail-on critical
vibecheck guard . --fail-on none   # Never fail, just report

| Flag | Default | Description | |:---|:---:|:---| | --threshold <n> | 70 | Minimum score to pass | | --fail-on <level> | critical | Fail on: critical, high, any, none | | --json | — | Output report as JSON |

| Exit Code | Meaning | |:---:|:---| | 0 | Passed — score above threshold, no blocking findings | | 1 | Failed — score below threshold or critical finding found | | 2 | Error — invalid arguments or scan error |

vibecheck roast

Scan and deliver a brutal, opinionated summary of how AI-generated the code looks.

vibecheck roast .
vibecheck roast src/
  VibeCheck Roast
  ──────────────────────────────────────────────────────────

  Let me be direct: this codebase has AI fingerprints all over it.

  The Worst Offender
  src/lib/payments.ts — 3 findings, trust score 42

  Stats
  ┌─────────────────────────────────┐
  │  Trust Score     42/100   F    │
  │  Hallucinations  3             │
  │  Phantom Deps    1             │
  │  Hardcoded Creds 1             │
  │  Security Issues 2             │
  └─────────────────────────────────┘

  Hallucination density: 1 issue per 47 lines. That's a lot.

  ──────────────────────────────────────────────────────────
  Run vibecheck scan for the full breakdown.

vibecheck context

Intent-aware codebase intelligence. Query your code by natural language, evolve from provenance, and get proactive context hints.

vibecheck context --evolve
vibecheck context --intent "authentication"
vibecheck context --intent "where do we handle auth" --semantic
vibecheck context --proactive --file packages/api/src/routes/auth.ts

| Flag | Description | |:---|:---| | --evolve | Learn from provenance (edits.jsonl); write co-edits, sequences, outcome scores to learned.json | | --intent <query> | Query codebase by natural language → files, symbols | | --semantic | Use embeddings for intent query (slower, finds conceptually related code) | | --proactive | Proactive context for focused file | | --file <path> | Focused file path (required with --proactive) | | --json | Machine-readable output |

CI/CD Integration

GitHub Actions

# .github/workflows/vibecheck.yml
name: VibeCheck
on: [pull_request]
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx @vibecheck-ai/cli guard . --threshold 70

Pre-commit Hook

# .husky/pre-commit
vibecheck guard . --fail-on critical

package.json Scripts

{
  "scripts": {
    "vibecheck": "vibecheck scan .",
    "vibecheck:guard": "vibecheck guard . --threshold 70",
    "vibecheck:score": "vibecheck score ."
  }
}

Output Formats

All commands support --json for machine-readable output. The JSON schema is stable across patch versions.

interface Finding {
  id: string;
  engine: string;
  severity: 'critical' | 'high' | 'medium' | 'low';
  ruleId: string;
  category: string;
  file: string;
  line: number;
  column: number;
  message: string;
  evidence: string;       // the offending code snippet
  suggestion?: string;    // how to fix it
  confidence: number;     // 0.0–1.0
  autoFixable: boolean;
}

The underlying FileRunner supports SARIF 2.1.0 for GitHub Code Scanning integration. Use --json and pipe to a SARIF converter, or use the GitHub Action which handles this automatically.

Configuration

Ignore Patterns

Create .vibecheckignore at your project root:

# Ignore generated files
src/generated/**

# Ignore specific file
src/legacy/old-api.ts

# Wildcards
**/*.test.ts

Environment Variables

| Variable | Description | |:---|:---| | NO_COLOR | Disable color output (same as --no-color) | | VIBECHECK_THRESHOLD | Default confidence threshold | | VIBECHECK_WORKSPACE | Override workspace root detection |

Shell Completion

# Bash
eval "$(vibecheck completion bash)"

# Zsh
eval "$(vibecheck completion zsh)"

Available on 4 Surfaces

| Surface | Install | Use case | |:---|:---|:---| | CLI (you are here) | npm i -g @vibecheck-ai/cli | CI/CD pipelines, terminal workflows, scripting | | VS Code Extension | Marketplace | Interactive scanning, sidebar dashboard, inline fixes | | MCP Server | npx @vibecheck-ai/mcp | AI agent integration (Cursor, Claude, etc.) | | GitHub Action | vibecheck-ai/action@v2 | Pull request verification, deployment gating |

Language Support

TypeScript  ·  JavaScript  ·  React  ·  Vue  ·  Svelte  ·  Next.js  ·  Python  ·  Go  ·  Rust

Privacy & Security

  • All scanning runs locally on your machine
  • Zero code is transmitted — ever
  • Works fully offline and in air-gapped environments
  • No telemetry on your code. Engines run in-process.

Build with AI. Ship with proof.

vibecheckai.dev   ·   [email protected]

MIT License  ·  Copyright 2024–2026 VibeCheck AI