npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

launchcheck

v2.0.1

Published

Automated pre-launch QA for web projects: a CLI of static checks for code quality, dependencies, deployment, and documentation.

Readme

launchcheck

Automated pre-launch QA for web projects. launchcheck runs a suite of checks — code quality, security, SEO, dependencies, deployment config, and documentation — and returns a process exit code you can gate a release or CI job on. It works in two modes: static (against a project directory) and live (against a running URL).

Status: 59 checks across both modes (static + live), including Lighthouse performance / Core Web Vitals and axe accessibility checks. The browser-based checks require optional peer dependencies (see Install) and are skipped when those peers are absent. See CHANGELOG.md.

Install

Run without installing:

npx launchcheck scan

Or add it to a project as a dev dependency:

npm install --save-dev launchcheck

Requires Node.js >= 18. typescript, puppeteer, @axe-core/puppeteer, and lighthouse are optional peer dependencies, pulled in only by the checkers that use them:

  • Accessibility (axe) checks: install puppeteer and @axe-core/puppeteer.
  • Performance / Core Web Vitals (Lighthouse) checks: install lighthouse, plus a Chrome/Chromium binary discoverable by chrome-launcher (a system Chrome install, or a path it can find).

Checkers whose optional peer is not installed are reported as skip, never fail, so a default install runs the full static + HTTP/DOM/TLS/DNS suite without any browser.

Usage

Static checks (project directory)

Scan the current directory (or pass --project-dir):

npx launchcheck scan
npx launchcheck scan --project-dir ./path/to/project --no-color

Static checks cover code quality (console/debugger statements, TODO/FIXME, ESLint, Prettier, tsc --noEmit under strict, large files in git history), dependencies (lockfile committed), deployment (.env.example, CI config), documentation (README sections), and security (hardcoded-secret scan).

Live checks (URL)

Scan a running site:

npx launchcheck scan --url https://your-site.com

Live checks cover security headers (HSTS, CSP, X-Frame-Options, X-Content-Type- Options, Referrer-Policy, Permissions-Policy, Server/X-Powered-By leakage), TLS certificate validity and expiry, SEO (title, meta description, canonical, single H1, heading order, Open Graph, Twitter Card, JSON-LD, robots.txt, sitemap.xml, favicon), and — when enabled — email authentication DNS records (SPF, DKIM, DMARC).

With the optional browser peers installed, live mode additionally runs accessibility checks via axe-core (ARIA validity, color contrast, focus states, image alt text, keyboard tab order, touch targets) and performance checks via Lighthouse (performance, accessibility, best-practices, and SEO category scores, plus the Core Web Vitals LCP, CLS, and INP).

Combine static and live in one run (pass both a URL and a project directory):

npx launchcheck scan --url https://your-site.com --project-dir .

Example (abridged):

security
  PASS  hsts-present/hsts-present [critical]        max-age=63072000
  PASS  ssl-valid/ssl-valid [critical]              issuer: Let's Encrypt
  PASS  ssl-not-expiring/ssl-not-expiring [major]   valid for 80 more days
  WARN  csp-present/csp-unsafe [major]              uses 'unsafe-inline'
  SKIP  spf-record/email-auth-disabled [major]      enable email-auth to run
seo
  FAIL  canonical-url/canonical-missing [major]
  PASS  structured-data/structured-data-present [minor]   2 JSON-LD blocks
Summary: 17 passed, 2 failed, 1 warned, 3 skipped   exit 1

A malformed --url (or a non-http(s) scheme) is a usage error and exits 2. Scanning an http:// URL skips the TLS checks — point --url at the https URL.

list

npx launchcheck list
npx launchcheck list --category security
npx launchcheck list --json

Exit codes

scan exits 2 if any critical check fails, 1 if any check fails, and 0 otherwise. Warnings and skipped checks do not affect the exit code.

Configuration

Drop a .launchcheckrc JSON file at the project root to tune behavior:

{
  "checkers": { "console-log-scan": false },
  "thresholds": {
    "large-file-bytes": 5242880,
    "ssl-expiry-warning-days": 30
  },
  "checkerOptions": {
    "readme-sections": { "requiredHeadings": ["Install", "Usage"] },
    "secret-scan": { "allowlist": ["EXAMPLE_KEY"] },
    "email-auth": {
      "enabled": true,
      "domain": "your-domain.com",
      "dkimSelectors": ["default"]
    }
  },
  "ignore": ["vendor/**", "**/*.min.js"]
}
  • checkers — enable or disable individual checkers by id.
  • thresholds — numeric knobs by well-known key (large-file-bytes, ssl-expiry-warning-days).
  • checkerOptions — per-checker options. Note email-auth is disabled by default: the SPF, DKIM, and DMARC checks skip until you set email-auth.enabled to true (and list dkimSelectors for DKIM).
  • ignore — glob patterns excluded from scanning.

License

MIT © Apetu Ezekiel