npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

bolt-hash

v1.2.0

Published

TUI/CLI tool for JS/TS obfuscation, byte encoding, and runtime integrity protection

Downloads

192

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

mynamezxcmynamezxc

Keywords

obfuscatorhashintegritynodejstypescripttui

Readme

bolt-hash

Protect your Node.js / TypeScript source code — obfuscates, byte-encodes, and integrity-locks every file. Any tampering with the output causes an immediate crash at startup.

Powered by Mynamezxc

Requirements

  • Node.js ≥ 18

Installation

npm install -g bolt-hash

Quick Start

[Your source project]  ──►  bolt-hash  ──►  [Protected output]  ──►  bolt start

Step 1 — Protect your project

Run this command from anywhere (you will be prompted for paths):

bolt-hash

You can also use the alias: bolt

The TUI will ask these questions:

Source directory to protect [/your/project]:
Output directory [/your/project/protected_output]:
Extra excludes (comma-separated globs, leave empty to skip) []:
Enable signed manifest protection (recommended) [Y/n]:
Manifest signing secret (required for bolt start verification):
Clean output directory before building? [Y/n]:

Example session:

Source directory to protect [C:\my-app]: C:\my-app
Output directory [C:\my-app\protected_output]:          ← press Enter to accept default
Extra excludes [...]:                                    ← press Enter to skip
Clean output directory before building? [Y/n]: Y

✅ Protection complete.
- Total files scanned : 10
- Code files protected : 7
- Asset files copied  : 3
- Hash manifest       : C:\my-app\protected_output\__bolt_manifest.json
- Integrity checker   : C:\my-app\protected_output\__bolt_integrity.js
- Elapsed             : 1240ms

What you get in the output folder:

protected_output/
├── src/
│   └── index.js          ← obfuscated + byte-encoded (unreadable)
├── package.json          ← copied; .ts scripts auto-patched to .js
├── package-lock.json     ← copied as-is
├── __bolt_manifest.json  ← SHA-256 hash of every protected file
└── __bolt_integrity.js   ← runtime integrity checker

When signed-manifest protection is enabled, __bolt_manifest.json also includes an HMAC signature. That signature prevents tampering where an attacker edits files, recomputes hashes, and replaces the manifest.

Step 2 — Deploy & run the protected output

cd protected_output

# Install dependencies (same as any Node project)
npm install

# Run with integrity check
bolt start

bolt start does the following every time before launching:

  1. Reads __bolt_manifest.json
  2. Verifies manifest signature (when signed) using BOLT_HASH_SECRET
  3. Recomputes SHA-256 of each protected code file
  4. If all checks pass → spawns npm start
  5. If signature/hash fails or any file is missing → crashes immediately

If the manifest is signed and BOLT_HASH_SECRET is missing, bolt start will ask for it. You can also provide it directly via environment variable:

# PowerShell
$env:BOLT_HASH_SECRET="your-secret"; bolt start

# Bash
BOLT_HASH_SECRET="your-secret" bolt start

If package.json has no scripts.start, bolt start will prompt you to enter a startup target. You can provide either a full command or a main file with arguments:

# Full command
python main.py --val 1

# Main file only (auto-detected runtime)
main.js --port 3000

Auto runtime rules for the entered main file:

  • .js/.cjs/.mjs → runs as node <file> ...args
  • .ts/.tsx/.mts/.cts → runs as node <file>.js ...args (after protection)
  • .py → runs as python <file> ...args
[BOLT-INTEGRITY] File has been modified or corrupted: src/index.js
Error: [BOLT-INTEGRITY] File has been modified or corrupted: src/index.js

Running other npm scripts

Use bolt run <script> instead of npm run <script>:

bolt run dev       # same as npm run dev, but verifies hash first
bolt run build
bolt run migrate

Workflow summary

| Step | Command | Where to run | |---|---|---| | Protect source | bolt-hash | source project directory | | Install deps | npm install | protected output directory | | Start app | bolt start (uses npm start or asks for startup target if missing) | protected output directory | | Run any script | bolt run <script> | protected output directory | | Re-protect after edit | bolt-hash again | source project directory |

Extra excludes

By default the following are always excluded from protection (never obfuscated):

node_modules · .git · .env · .env.* · dist · build · .next · .nuxt

package.json and lock files are copied to output (not excluded, not hashed).

You can add more patterns at the TUI prompt, e.g.:

Extra excludes: tests/**,docs/**,scripts/seed.ts

tsconfig path aliases

If your project uses compilerOptions.paths in tsconfig.json, bolt-hash resolves and rewrites them automatically:

{
  "compilerOptions": {
    "baseUrl": ".",
    "paths": {
      "@/*": ["src/*"]
    }
  }
}

import { foo } from '@/utils/foo' → rewritten to the correct relative path in output.

Known limitations

| Scenario | Status | |---|---| | Dynamic require(variable) | ⚠️ Cannot be statically analysed — left as-is | | Webpack / Vite / Bun custom loaders | ⚠️ Non-standard resolution not supported | | ESM package.json subpath exports | ⚠️ Not evaluated |