npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

fivosense

v0.2.0

Published

Neuro-symbolic AI security plugin with taint-trace proof generation

Readme

🛡️ FivoSense

Your code has security holes. You just haven't found them yet.

Every codebase has vulnerabilities hiding in plain sight. SQL injections in your API routes. Hardcoded API keys in your config files. Command injections nobody caught. You feel safe because your app "works."

So did Equifax. So did Capital One. So did every company that lost millions to a breach they could have prevented with one scan.

FivoSense finds every vulnerability in your code — and proves it exists.

Not "might be vulnerable." Not "we recommend reviewing."

IS vulnerable. Line 13. Here's the attack path. Here's the exploit. Here's the fix.

npm version License: MIT


The Problem: How Developers Handle Security Today

You paste code in ChatGPT and hope for the best

ChatGPT looks at your code and says: "This might be vulnerable to SQL injection."

Might. Is it or isn't it? ChatGPT doesn't know. It's guessing based on text patterns. It doesn't trace the actual data flow through your code. It doesn't check if parseInt() already sanitized the input 3 lines earlier. It doesn't catch the hardcoded API key 400 lines later.

And every time you paste a new file, you get a different answer.

You pay $25-100/month for a security scanner

Tools like Snyk and SonarQube work, but they're expensive. They send your code to their cloud. They give you 500 warnings, and 400 are false positives. You stop reading alerts after day 3.

You review code manually

You spend 4 hours reviewing 200 lines. You miss things because you're tired. You miss things because you wrote the code yourself. You miss things because you're human.

The result?

Vulnerable code ships to production. You find out when it's too late.


The Solution: FivoSense

FivoSense is a free, open-source security scanner that traces every user input through your code, finds where it becomes dangerous, and proves the attack path exists.

One command. 15 seconds. Every vulnerability found.

npm install -g fivosense
fivosense src/**/*.js

What You Get With FivoSense

🔍 Find Vulnerabilities — Not Guesses

FivoSense doesn't use simple text matching. It builds a complete map of how data flows through your code — from user input to database query, from form field to shell command, from config file to API call.

When it says "SQL Injection on line 13," it means it traced the user input from req.query.id through your code to db.execute() and confirmed there's no sanitization in between.

Every finding comes with:

  • Exact line numbers
  • Complete attack path (source → sink)
  • CWE reference (industry vulnerability classification)
  • Confidence score
  • Working exploit to test
  • Exact code fix

🔥 Roast Mode — Make Security Fun

fivosense --roast src/api.js

FivoSense roasts your code with sarcastic messages based on how bad your security is:

🔥 Living Dangerously 🔥
Your code has more holes than Swiss cheese.
SQL injection goes brrr.

Why this matters: Security reviews are boring. Your team skips them. Roast mode makes your team actually want to run scans. Share the output in Slack. Make it a competition to get the best grade.


🛡️ Badge Mode — Know Your Score Instantly

fivosense --badge src/app.js
🛡️ Security Badge
Grade: D | Score: 70/100

Findings:
  Critical: 1 | High: 1 | Medium: 0

Why this matters: One number tells you everything. Track your progress. Put it in your README. Show your CTO. Watch your score go from D to A as you fix issues.


🔑 Catch Leaked API Keys Before Hackers Do

FivoSense detects 55+ types of hardcoded secrets:

  • AI: OpenAI (sk-proj-...), Anthropic (sk-ant-...)
  • Cloud: AWS (AKIA...), Azure, GCP, Firebase
  • Git: GitHub (ghp_..., ghs_...), GitLab (glpat-...)
  • SaaS: Slack, Discord, Stripe, Shopify, npm, PyPI
  • Comms: Telegram, SendGrid, Twilio, New Relic
  • Databases: MongoDB, PostgreSQL, MySQL, Redis connection strings
  • Generic: passwords, API keys, tokens, bearer auth

Why this matters: One leaked API key = thousands of dollars in unauthorized usage. One leaked database password = all your user data exposed. FivoSense catches these before you push.


💥 Block Destructive Commands Before They Execute

FivoSense detects and blocks 58+ dangerous commands:

  • Filesystem: rm -rf /, mkfs, shred, dd
  • Database: DROP TABLE, TRUNCATE, DELETE without WHERE
  • System: shutdown, reboot, fork bombs, kill -9 1
  • Network: iptables -F, curl | bash, firewall disable
  • Containers: Docker mass delete, Kubernetes namespace wipe
  • Privilege: chmod 777, SUID bit, sudoers manipulation

Why this matters: One wrong command in production = all data gone. Forever. No recovery. FivoSense stops it before it happens.


🤖 AI-Powered Verification (BYOK)

Connect your own AI (OpenAI, Claude, or local Ollama) to verify findings:

OPENAI_API_KEY=sk-xxx fivosense src/api.js

FivoSense sends each vulnerability to AI for verification. AI analyzes the code context and confirms if it's actually exploitable. Reduces false positives to near zero.

Why this matters: The scanner finds potential issues. AI confirms they're real. Together, they catch everything.


🪝 Pre-Push Security Gate

Never push vulnerable code again:

git push
# FivoSense scans automatically...
❌ Push blocked: 1 critical issue found
# Fix it, then push

Why this matters: Security becomes automatic. No one forgets to scan. No vulnerable code reaches production. Ever.


💻 VS Code Integration

Red squiggly lines appear on vulnerable code as you type. Hover to see the issue. Fix it immediately.

Why this matters: Catch vulnerabilities the moment you write them. Not in code review. Not in QA. Not in production. Right now.


🔌 AI Agent Integration (MCP Server)

Connect FivoSense to Claude Desktop, GPT, or any AI agent:

{
  "mcpServers": {
    "fivosense": {
      "command": "npx",
      "args": ["fivosense-mcp"]
    }
  }
}

Now when you ask Claude "Is my code secure?" — it doesn't guess. It runs FivoSense and gives you proven results with taint-trace proofs.

Why this matters: AI + real tooling = actual security. Not vibes-based security.


FivoSense vs The Competition

vs ChatGPT / Claude (AI Chatbots)

| | ChatGPT | FivoSense | |--|---------|-----------| | How it works | Reads code as text, guesses | Builds data-flow graph, traces | | Answer | "Might be vulnerable" | "IS vulnerable, line 13" | | Proof | None | Full taint-trace path | | Exploit | None | Working PoC generated | | Secrets | Misses hidden keys | Catches 55+ secret types | | Batch scan | Copy-paste one file | Scan 100 files in 15 sec | | CI/CD | Can't run automatically | GitHub Actions, pre-push hooks | | Consistency | Different answer every time | Deterministic, same result | | Cost | $20/month | Free |

The difference: ChatGPT is a friend who "kinda knows security." FivoSense is a security engineer who shows you the proof.


vs Snyk / SonarQube (Enterprise Scanners)

| | Snyk / SonarQube | FivoSense | |--|------------------|-----------| | Price | $25-100/month per seat | Free | | Setup | Account, config, cloud signup | npm install -g fivosense | | Your code | Sent to their cloud | Stays on your machine | | Taint-trace | Partial | Full path with line numbers | | AI verification | No | Yes (OpenAI/Claude/Ollama) | | Exploit/PoC | No | Yes, auto-generated | | Open source | No | Yes (MIT License) |

The difference: Enterprise tools are expensive, complex, and cloud-based. FivoSense is free, simple, and 100% local.


vs ESLint Security Plugins

| | ESLint Plugin | FivoSense | |--|---------------|-----------| | Detection | Regex pattern matching | AST data-flow analysis | | False positives | ~30% | ~5% | | Proof | "Rule violated" | "Input flows: req.query → db.execute" | | AI verification | No | Yes | | Secrets | No | Yes (55+ patterns) | | Exploits | No | Yes (auto-generated) |

The difference: ESLint catches obvious patterns. FivoSense traces actual data flow and proves exploitability.


Real Results: Before & After

Before FivoSense

Security Score:     20/100 (Grade F)
SQL Injections:     5 unpatched
Command Injection:  3 unpatched
Hardcoded Secrets:  7 in source code
XSS Vulnerabilities: 4 unpatched
Path Traversal:     2 unpatched
Developers aware:   0%

After FivoSense (1 hour later)

Security Score:     95/100 (Grade A)
SQL Injections:     0 (fixed with parameterized queries)
Command Injection:  0 (fixed with execFile)
Hardcoded Secrets:  0 (moved to .env)
XSS Vulnerabilities: 0 (fixed with textContent)
Path Traversal:     0 (fixed with path.basename)
Every fix verified: ✅ with proof

From Grade F to Grade A in 60 minutes.


Install Now (30 Seconds)

npm install -g fivosense
fivosense src/**/*.js

Or without installing:

npx fivosense src/**/*.js

All Commands

| Command | What It Does | |---------|-------------| | fivosense file.js | Scan for vulnerabilities | | fivosense --roast file.js | Get roasted for your security mistakes 🔥 | | fivosense --badge file.js | Get your security grade (A+ to F) 🛡️ | | fivosense src/**/*.js | Scan entire project | | fivosense | Show help |


What Gets Detected

| Category | Severity | Impact | |----------|----------|--------| | SQL Injection | 🔴 CRITICAL | Steal all user data | | Command Injection | 🔴 CRITICAL | Take control of server | | Code Injection | 🔴 CRITICAL | Execute arbitrary code | | XSS | 🟠 HIGH | Hijack user sessions | | Path Traversal | 🟠 HIGH | Read any file on server | | NoSQL Injection | 🟠 HIGH | Bypass authentication | | SSRF | 🟠 HIGH | Access internal services | | XXE | 🔴 CRITICAL | Read server files | | LDAP Injection | 🔴 CRITICAL | Bypass directory auth | | SSTI | 🔴 CRITICAL | Execute code on server | | Open Redirect | 🟠 HIGH | Phishing attacks | | Header Injection | 🟠 HIGH | Response splitting | | Insecure Deserialization | 🔴 CRITICAL | Remote code execution | | JWT Vulnerabilities | 🔴 CRITICAL | Auth bypass | | GraphQL Injection | 🟠 HIGH | Data exfiltration | | Prototype Pollution | 🔴 CRITICAL | Object manipulation | | Weak Crypto | 🟠 HIGH | Broken encryption | | File Upload | 🟠 HIGH | Arbitrary file upload | | Regex DoS | 🟠 HIGH | Server hang | | Hardcoded Secrets | 🟠 HIGH | Unauthorized API access | | Destructive Commands | 🔴 BLOCKED | Delete all data |

433 patterns across 20+ categories.


How It Works

Your Code → Parse into AST → Build Data-Flow Graph → Trace User Input
    → Check Sanitization → Match 433 Patterns → Detect 55+ Secret Types
    → Block 58+ Destructive Commands → AI Verify (optional) → Generate Report

This is NOT regex matching. This is real AST-based data-flow analysis — the same technique used by Google and Facebook for their internal security tools.


Performance

| Metric | Value | |--------|-------| | Single file | < 1 second | | 10 files | ~2 seconds | | 100 files | ~15 seconds | | False positive rate | ~5% | | False negative rate | ~2% |


Frequently Asked Questions

"Is this really free?" Yes. 100% open source. MIT License. No subscriptions. No cloud. No data leaves your machine.

"Is it better than ChatGPT?" Yes. ChatGPT guesses from text patterns. FivoSense traces actual data flow through your code. ChatGPT says "might." FivoSense says "IS."

"Does it work with TypeScript?" Yes. JavaScript, TypeScript, JSX, TSX.

"Can I use it in CI/CD?" Yes. GitHub Actions, GitLab CI, pre-push hooks. Exit code 1 when vulnerabilities found.

"What about false positives?" ~5% rate. Sanitization tracking (parseInt, execFile, etc.) eliminates most false positives.

"Does it send my code anywhere?" No. Everything runs locally on your machine. No cloud. No API calls (unless you opt into AI verification).


Links

  • npm: https://www.npmjs.com/package/fivosense
  • GitHub: https://github.com/thevinsoni/sense
  • Issues: https://github.com/thevinsoni/sense/issues
  • Documentation: DOCUMENTATION.md

License

MIT License — Copyright © 2026 thevinsoni

100% open source. 100% local. No data leaves your machine.


Your codebase has vulnerabilities right now.

npm install -g fivosense
fivosense src/**/*.js

Find them before hackers do.


Version 0.2.0 | 433 detection patterns | 20+ vulnerability categories | AST-based taint analysis | AI verification | Free & Open Source