npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ira-review

v3.1.10

Published

AI-powered PR reviews with built-in JIRA intelligence

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

patilmayur5572patilmayur5572

Keywords

sonarqubesonarcloudcode-reviewaipull-requestbitbucketstatic-analysisjirapr-reviewrisk-scoringcode-complexityacceptance-criteriaopenai

Readme

ira-review

Review pull requests from your terminal. Get risk scores, inline comments, JIRA validation, and team rule enforcement before anyone else sees your code.

npx ira-review review --pr 42 --scm-provider github \
  --github-token "$GITHUB_TOKEN" --github-repo owner/repo \
  --ai-api-key "$OPENAI_API_KEY" --dry-run

No install required. Drop --dry-run to post comments directly on the PR. For Bitbucket, replace the GitHub flags with --bitbucket-token and --repo.

💡 Prefer reviewing inside your editor? IRA also ships as a VS Code extension (available since earlier 3.x versions) — same engine, with inline diagnostics, codelens, and one-click "Post to PR".

What You Get

IRA: Found 3 issues (Risk: MEDIUM - 47/100)

src/routes/todos.ts
  [BLOCKER] SQL injection risk - user input passed directly to query
  [MAJOR]   Missing database index on frequently queried column

src/middleware/auth.ts
  [CRITICAL] JWT secret hardcoded - move to environment variable

JIRA AC Validation (PROJ-1234):
  AC 1: User can create a todo item        COVERED
  AC 2: Input is validated before save      NOT COVERED
  AC 3: Error returns 422 with details      COVERED

Each issue is posted as an inline comment on the exact PR line with explanation, impact, and a minimal BEFORE → AFTER fix.

Features:

  • Evidence-based reviews — 7 categories (security, business logic, race conditions, data consistency, async, error handling, defensive coding), each with explicit false-positive exclusions. Issues without concrete evidence are filtered out.
  • Risk scoring (0-100) with severity breakdown and PR labels
  • Inline AI comments with explanation, impact, and minimal BEFORE → AFTER fix
  • Two-pass critical review (--ai-model-critical) — bulk pass uses your everyday model; only CRITICAL/BLOCKER findings are re-run against a stronger model, keeping premium-request cost low while preserving deep analysis on what matters
  • JIRA acceptance criteria validation with per-criterion pass/fail and edge case detection
  • JIRA AC auto-detection — finds AC from custom field or description automatically
  • Custom team review rules via .ira-rules.json (see below)
  • Test case generation from JIRA tickets (Jest, Vitest, Playwright, etc.)
  • Comment deduplication across re-runs
  • Slack and Teams notifications with risk threshold filtering

Custom Review Rules

Commit a .ira-rules.json to your repo root. Rules are injected into the AI prompt alongside the diff. No extra API calls, no separate pass.

{
  "rules": [
    {
      "message": "Use parameterized queries for all SQL operations",
      "bad": "db.query(`SELECT * FROM users WHERE id = ${userId}`)",
      "good": "db.query('SELECT * FROM users WHERE id = $1', [userId])",
      "severity": "CRITICAL",
      "paths": ["src/db/**", "src/api/**"]
    },
    {
      "message": "Never use console.log in production code",
      "bad": "console.log('User:', user);",
      "good": "logger.info('User created', { userId: user.id });",
      "severity": "MINOR"
    }
  ],
  "sensitiveAreas": [
    "src/services/payment/**",
    "**/auth/**",
    "src/config/database.*"
  ]
}

Rules:

  • message + severity required. bad/good examples and paths are optional.
  • Rules without paths apply to all files. Rules with paths match only those directories.
  • No hard cap on rules (soft warning above 500). Deterministic checks (naming, formatting) belong in ESLint.
  • Invalid rules are skipped with a warning, not a crash.
  • No license gating. Works in CLI, CI/CD, and VS Code extension.

Sensitive Areas:

  • Files matching a sensitive area glob get extra scrutiny during review and Apply Fix.
  • Labels are derived from the glob automatically (src/services/payment/** → "payment").
  • Sensitive file findings get a higher weight in risk scoring.

Use Cases

Pre-push check (local dev):

npx ira-review review --pr 42 --scm-provider github \
  --github-token "$GITHUB_TOKEN" --github-repo owner/repo \
  --ai-api-key "$OPENAI_API_KEY" --dry-run

Review in your terminal before pushing. Nothing gets posted.

CI gate (GitHub Actions):

- run: |
    npx ira-review review \
      --pr ${{ github.event.pull_request.number }} \
      --scm-provider github \
      --github-token ${{ secrets.GITHUB_TOKEN }} \
      --github-repo ${{ github.repository }} \
      --no-config-file
  env:
    IRA_AI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

CI gate (Bitbucket Pipelines):

- step:
    name: AI Code Review
    script:
      - npx ira-review review
          --pr $BITBUCKET_PR_ID
          --repo $BITBUCKET_REPO_FULL_NAME
          --no-config-file
    environment:
      IRA_AI_API_KEY: $OPENAI_API_KEY
      IRA_BITBUCKET_TOKEN: $BB_TOKEN

Add Integrations

All optional. IRA works with just an SCM token and an AI key.

| What you want | Flags to add | |---|---| | JIRA Cloud validation | --jira-url --jira-email --jira-token --jira-ticket PROJ-123 | | JIRA Server / DC | --jira-url --jira-type server --jira-token <PAT> --jira-ticket PROJ-123 | | Bitbucket Server / DC | --bitbucket-type server --bitbucket-url https://bitbucket.example.com --repo PROJECT/repo-slug | | SonarQube enrichment | --sonar-url --sonar-token --project-key my-project | | Test generation | --generate-tests --test-framework vitest | | Slack notifications | --slack-webhook https://hooks.slack.com/services/xxx | | Teams notifications | --teams-webhook https://outlook.office.com/webhook/xxx | | Only notify on high risk | --notify-min-risk high | | Use Anthropic | --ai-provider anthropic | | Use Ollama (free, local) | --ai-provider ollama | | Use GitHub Copilot CLI (CI) | --ai-provider copilot-cli (needs @github/copilot installed + GITHUB_TOKEN with Copilot Requests scope; respects GH_HOST) | | OpenAI-compatible gateway | --ai-base-url https://your-llm-proxy/v1 (GitHub Models, LiteLLM, internal proxy…) | | Rules from URL (no checkout) | --rules-url https://bitbucket.example.com/.../.ira-rules.json | | Compact / detailed comments | --comment-style compact (default) or --comment-style detailed | | Don't post AI-generated ACs to JIRA | --no-post-acs-to-jira (env: IRA_POST_ACS_TO_JIRA=false) — suggestions still render in the PR summary; only the JIRA write is skipped |

Install

npx ira-review review --help       # no install needed
npm install -g ira-review           # or install globally
npm install --save-dev ira-review   # or add to your project

Config File

Optional. Create .irarc.json in your project root:

{
  "scmProvider": "github",
  "githubRepo": "owner/repo",
  "aiModel": "gpt-4o-mini",
  "minSeverity": "MAJOR"
}

CLI flags override env vars, which override the config file. Token fields are blocked from config files by design.

Supported Providers

SCM: GitHub, GitHub Enterprise, Bitbucket Cloud, Bitbucket Server/Data Center

AI: OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed), GitHub Copilot CLI (CI-friendly, uses your Copilot entitlement, no API key), AMP CLI (VS Code extension)

Requirements

  • Node.js 18+
  • An AI provider API key (or Ollama running locally, or GitHub Copilot CLI for headless / CI use, or AMP CLI / GitHub Copilot for the VS Code extension)

Security

Tokens are read from environment variables or CLI flags at runtime. Nothing is written to disk. Config files block token fields by design. No telemetry, no cloud service.

License

MIT

Full docs | VS Code Extension | Support: [email protected]