npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ccip-safety-kit

v0.1.0

Published

TypeScript CLI for analyzing Solidity CCIP receiver contracts for common safety issues.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

milan3mmilan3m

Keywords

ccipchainlinksoliditysecurityanalysiscliweb3audit

Readme

CCIP safety kit

TypeScript CLI for analyzing Solidity CCIP receiver contracts for common safety issues.

ccip-safety-kit is an early developer toolkit for catching obvious receiver-safety gaps before audit or deployment. It is designed as a practical PoC: fast to run, easy to understand, and lightweight enough for local development or CI.

Requires Node.js 18 or newer.

Local usage

If you just want to run the app locally:

npm install
npm run build
node ./dist/cli.js analyze ./examples

Useful local commands:

# shows CLI help and available flags
node ./dist/cli.js --help

# analyzes all Solidity examples in the examples/ folder
node ./dist/cli.js analyze ./examples

# analyzes only one Solidity file
node ./dist/cli.js analyze ./examples/unsafe-no-replay/UnsafeNoReplay.sol

# prints the same analysis as JSON instead of terminal text
node ./dist/cli.js analyze ./examples --json

What this does:

  • scans .sol files in the given path
  • checks for common CCIP receiver safety patterns
  • prints warnings and hints in the terminal
  • exits with code 1 if warning-level findings are detected

Command summary:

  • npm install: installs local Node.js dependencies
  • npm run build: compiles TypeScript from src/ into runnable JavaScript in dist/
  • node ./dist/cli.js --help: shows CLI usage and example commands
  • node ./dist/cli.js analyze ./examples: scans every Solidity file inside examples/
  • node ./dist/cli.js analyze <file-or-folder>: scans a custom Solidity file or directory
  • node ./dist/cli.js analyze ./examples --json: returns machine-readable JSON output

Why this tool exists

CCIP receiver contracts often repeat the same categories of mistakes:

  • missing messageId tracking
  • weak replay or duplicate execution handling
  • missing sender or source validation
  • no pause or emergency control
  • weak operational event visibility

This package gives teams a lightweight static pass before deeper review. It does not simulate the protocol and it does not replace a security audit.

Key features

  • CLI-first workflow with analyze <path>
  • TypeScript implementation with no heavy blockchain runtime
  • modular rule checks for common receiver safety patterns
  • readable terminal output
  • optional JSON output for scripting or CI
  • minimal Solidity fixtures for examples and rule development

Installation

Run once locally:

npm install
npm run build

Optional npm-style usage after publish:

npx ccip-safety-kit analyze ./contracts
npm install -g ccip-safety-kit
ccip-safety-kit analyze ./contracts

Published package examples:

npx ccip-safety-kit analyze ./contracts
npx ccip-safety-kit analyze ./contracts --json
ccip-safety-kit analyze ./src
ccip-safety-kit analyze ./src/Receiver.sol --json

Example output

ccip-safety-kit
Scanned 3 Solidity file(s), 3 contract(s)
Receiver-like contracts: 3

SafeReceiver  (examples/safe-receiver/SafeReceiver.sol)
  [OK] No obvious CCIP receiver safety issues detected.

UnsafeNoReplay  (examples/unsafe-no-replay/UnsafeNoReplay.sol)
  [WARN] Replay protection not detected.
  [HINT] Reject or ignore already processed messageIds before execution.
  [WARN] No messageId tracking found.
  [HINT] Add a bytes32 => bool mapping, for example processedMessages[messageId].
  [WARN] Duplicate execution prevention not detected.
  [HINT] Guard the receiver path so duplicate deliveries cannot execute business logic twice.
  [INFO] Pause or emergency control not detected.
  [HINT] Consider an admin-controlled pause switch for emergencies.
  [INFO] Missing structured processing events.
  [HINT] Emit a stable event such as MessageProcessed(bytes32 messageId, bool success).

Rule coverage

Current heuristic checks include:

  • messageId tracking
  • replay protection
  • duplicate execution prevention
  • sender or source validation
  • pause or emergency control
  • structured debug events