npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

depmedic

v0.1.4

Published

Surgical npm vulnerability triage. Minimum-bump fixes, prod/dev split, transitive depth, no breaking surprises.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

depmedicdeveloperdepmedicdeveloper

Keywords

npmauditvulnerabilitysecuritydependenciescliminimum-bumppatchsupply-chainadvisory

Readme

depmedic

Sponsor

npm ci license

Surgical npm vulnerability triage. Reads npm audit --json, prints the smallest set of package bumps that close the reported vulnerabilities, ranks them by severity and reachability, and exits with a CI-friendly code.

npm audit fix is too aggressive. Dependabot floods the inbox. Snyk wants an enterprise contract. depmedic does one thing: tell me the minimum bump that fixes the real issues, in one screenful, with no breaking surprises.

demo

Install

npm install -g depmedic
# or run on demand
npx depmedic

Node.js 18+.

Use

In any project with a package.json:

depmedic                      # human report
depmedic --prod-only          # ignore dev-only vulns
depmedic --severity=high      # only high + critical
depmedic --no-major           # hide fixes that need a semver-major bump
depmedic --json               # machine output for CI
depmedic --input=audit.json   # from a saved 'npm audit --json'

Exit codes: 0 clean, 1 vulns present, 2 error. Wire it into CI as a gate.

Sample output

depmedic  2026-04-26T14:00:00.000Z

Found 3 vulnerabilities  [crit 2  high 1  mod 0  low 0]
  fixable: 3   major-bumps: 1   prod-direct: 2

 CRITICAL  mkdirp  (prod-direct)
  affected: 0.4.0 - 0.5.5
  fix: upgrade mkdirp -> 3.0.1 (MAJOR)
  Prototype Pollution in minimist
  https://github.com/advisories/GHSA-xvch-5gv4-984h

 CRITICAL  minimist  (transitive, depth 2)
  affected: <1.2.6
  pulled in via: mkdirp -> minimist
  fix: upgrade mkdirp -> 3.0.1 (MAJOR)

 HIGH  lodash  (prod-direct)
  affected: <4.17.21
  fix: upgrade lodash -> 4.17.21 (patch)
  https://github.com/advisories/GHSA-jf85-cpcp-j695

What it does

  • Minimum-bump first. Patch beats minor beats major. Major bumps are flagged loudly, never auto-applied.
  • Prod vs dev split. --prod-only filters dev-only noise.
  • Transitive context. Shows which top-level package pulls a vulnerable transitive in.
  • Single binary. Two runtime deps (semver, picocolors). No telemetry, no dashboards, no account.

CI

- run: npm ci
- run: npm audit --json > audit.json || true
- run: npx depmedic --input=audit.json --severity=high

The non-zero exit on findings fails the job.

Pro

A paid Pro tier is in development:

  • Reachability check. Does your code import or call the vulnerable function?
  • Monorepo support: pnpm, npm, yarn berry workspaces.
  • CI policy file: thresholds, allowlists, expiring suppressions.
  • HTML / PDF report.

License via Polar at https://polar.sh/depmedicdev. Free CLI stays free.

Companion tools

  • ci-doctor - audit GitHub Actions workflows for waste and security gaps.

Honesty

Built with AI assistance. Every change reviewed. Open an issue if anything breaks.

License

MIT. See LICENSE.

Sponsor / support depmedic

If this saved you 10 minutes of CI debugging, consider one of these. All of them keep the free CLIs free:

More from depmedic

| | | | --- | --- | | ci-doctor | audit GitHub Actions for cost + security (16 rules) | | gitlab-ci-doctor | same engine for .gitlab-ci.yml (14 rules) | | bitbucket-ci-doctor | for bitbucket-pipelines.yml (8 rules) | | azure-pipelines-ci-doctor | for azure-pipelines.yml (8 rules) | | circleci-ci-doctor | for .circleci/config.yml (8 rules) | | gha-budget | $-denominated cost estimate of any GHA workflow | | pin-actions | one-shot SHA pinner for uses: blocks | | cursor-rules-init | scaffold .cursor/rules/ for your stack | | depmedic | all-in-one cli, finds outdated/risky deps | | depmedic/ci-doctor-action | composite GitHub Action: PR comment + SARIF |

In-browser scanners (no install): GitHub · GitLab · Bitbucket · Azure · CircleCI.

Newsletter (weekly, low-volume): https://depmedicdev-byte.github.io/newsletter.html?utm_source=npm&utm_medium=readme&utm_campaign=depmedic.