npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

auditclean

v0.1.0

Published

Cut npm audit down to what matters — production, high-severity, fixable vulnerabilities only. Zero dependencies.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

yyfjjyyfjj

Keywords

npm-auditauditsecurityvulnerabilitiescvenoisefalse-positivesclicidevopssupply-chain

Readme

auditclean

npm audit cries wolf. auditclean tells you what to actually fix. A typical audit report is ~80% noise — dev-only CVEs that never ship, transitive advisories with no available fix, low-severity findings buried under two screens of red text. auditclean keeps only what's actionable: production dependencies, at or above a severity threshold, with a fix available. Zero dependencies.

npx auditclean
auditclean — 2 of 47 advisories need action (≥ high, production, fixable)

  ● critical  lodash    <=4.17.20   Prototype Pollution in lodash    → npm audit fix
  ● high      minimist  <1.2.6      Prototype Pollution in minimist  → upgrade minimist to 1.2.8

45 hidden (below high · dev-only · no fix). See everything: auditclean --all

Why

npm audit was famously called "broken by design": it reports every advisory in your entire dependency tree, including ones in build tooling that never reach production and ones with no fix you can apply. The result is alert fatigue — a wall of output you learn to || true past in CI, which is exactly how a real critical slips through.

The existing alternatives want a config file (audit-filter), interactive prompts (npm-audit-resolver), or an account (a SaaS scanner). auditclean wants nothing: run it, get the short list.

How it works

By default it runs npm audit --omit=dev --json for you (so you only see production vulnerabilities), then filters to high+ severity with a fix:

auditclean                      # run audit, show prod high+ fixable
auditclean --level critical     # only critical
auditclean --all                # show everything (low+, dev, unfixable), just cleaned up

You can also feed it a report you already have:

npm audit --json | auditclean
npm audit --omit=dev --json | auditclean   # prod-only on piped input

It understands both npm audit JSON schemas — v2 (npm 7+, vulnerabilities) and v1 (npm 6, advisories) — and normalizes the fix advice, including isSemVerMajor upgrades flagged as (breaking).

In CI

auditclean exits non-zero only when something actionable is left after filtering, so it gates on signal instead of noise:

# fails the build only on production, high+, fixable vulnerabilities
- run: npx auditclean

| Exit code | Meaning | |-----------|---------| | 0 | nothing actionable at the threshold | | 1 | actionable vulnerabilities found | | 2 | error (npm missing, unparseable input) |

Options

--level <sev>         minimum severity: low | moderate | high | critical (default: high)
--include-unfixable   also show vulns with no fix available
--include-dev         also include devDependencies (when reading piped full JSON)
--all                 shorthand for --level low --include-unfixable --include-dev
--format text|json    output format (default: text)
-v, --version
-h, --help

--format json emits { format, level, total, actionable, hidden, counts, vulnerabilities } for programmatic use.

Notes

  • Production filtering comes from running npm audit --omit=dev. If you pipe a full npm audit --json, the npm 7+ schema doesn't tag dev per-vuln — pipe npm audit --omit=dev --json to get the same result on stdin.
  • Zero dependencies. It shells out to your npm and parses JSON with the standard library. Nothing to install, nothing to audit.

Also available for Python

pip install auditclean
auditclean

Same filtering, same flags, same exit codes — auditclean-py. Handy in Python-based CI that audits a Node sub-project.

License

MIT