npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

dio-lookup

v0.2.0

Published

Pipe internet assets to lookup.disclose.io and get security-disclosure contacts as JSONL.

Readme

dio-lookup

Pipe internet assets into lookup.disclose.io and get security-disclosure contacts back — Unix-style, from your terminal.

Part of the disclose.io Project — the open, vendor-neutral infrastructure for vulnerability disclosure. Browse the ecosystem →


dio-lookup

Pipe internet assets to lookup.disclose.io and get the right security-disclosure contact for each — as JSONL, built for recon pipelines.

Give it a domain, IP, ASN, URL, email, package, repo, container, cloud resource, mobile app, hardware, browser extension, or org name; get back the owner and where to report a vulnerability (security.txt, bug bounty program, VDP, PSIRT, national CERT).

subfinder -d example.com | httpx -silent | dio-lookup > contacts.jsonl
cat hosts.txt | dio-lookup -c 8
dio-lookup cloudflare.com npm:express gh:facebook/react

Install

With Bun (run from source):

bun install -g dio-lookup        # or: git clone + bun link

Prebuilt binary (no runtime needed) — grab the right asset from Releases, then:

chmod +x dio-lookup && sudo mv dio-lookup /usr/local/bin/

Usage

dio-lookup [options] [asset ...]
cat hosts.txt | dio-lookup [options]

  -c, --concurrency N   parallel requests (default 5)
  -k, --key KEY         API key (raises rate limits); or set DIO_API_KEY
      --api URL         API endpoint (default https://lookup.disclose.io/api/lookup)
      --full            emit the full LookupResult instead of the compact summary
      --nuclei          read `nuclei -jsonl` on stdin: extract & de-duplicate the
                        scanned hosts, then enrich each one
  -V, --version         print version
  -h, --help            help

One JSON object per asset on stdout. Compact form:

{"input":"cloudflare.com","assetType":"domain","status":"complete","organization":"Cloudflare","jurisdiction":"US","contacts":[{"type":"security_txt","value":"https://www.cloudflare.com/.well-known/security.txt","confidence":"high"}]}

Pull just the reporting channels with jq:

cat hosts.txt | dio-lookup | jq -r 'select(.status=="complete") | "\(.input)\t\(.contacts[0].value)"'

Nuclei

Close the loop from "found something" to "here's who to tell." Pipe a Nuclei scan straight into dio-lookup and get the disclosure contact for every host it touched:

nuclei -u example.com -jsonl | dio-lookup --nuclei

--nuclei reads Nuclei's JSONL (one finding object per line — not bare hosts), pulls the scanned host from each finding, and de-duplicates before looking anything up. That dedupe matters: a scan can emit hundreds of findings across the same handful of hosts, and collapsing them to one lookup per unique host keeps you well under the API rate limit. For large scans, pass an API key (-k / DIO_API_KEY).

Prefer no extra flag? This bridge is equivalent and works with any dio-lookup:

nuclei -u example.com -jsonl | jq -r '.host' | sort -u | dio-lookup

Heads-up: each scanned host is sent to lookup.disclose.io (which logs requests). For target lists under NDA, use the deduped form and mind the egress.

Notes

  • Free and anonymous. A free API key only raises rate limits — request one by emailing [email protected]. Pass it with -k or DIO_API_KEY.
  • Honors the API's Retry-After on 429 and retries transient failures.
  • --full emits the complete LookupResult (attribution, contacts, resolution chain, data sources) — see the OpenAPI spec.

A disclose.io project. MIT licensed.