npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

maintainerops-ai

v0.1.5

Published

AI-assisted OSS maintainer workflows for PR review, issue triage, security triage, and release notes.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

rtonfrtonf

Keywords

ossmaintainersgithubopenaicodextriagesecurity

Readme

MaintainerOps AI

npm version npm downloads

MaintainerOps AI is a GitHub-aware CLI and GitHub Action for open-source maintainers. It turns pull requests, issues, and fixture-based security or release inputs into structured review packets that a maintainer can accept, edit, or ignore.

OSS ecosystems rely on a small number of maintainers making high-quality decisions under constant backlog pressure. MaintainerOps AI makes that work easier to audit and repeat: it converts noisy issues, PRs, dependency updates, and release tasks into review packets that preserve maintainer control while improving security, code quality, and response time.

The project is intentionally human-in-the-loop. It does not merge pull requests, close issues, publish releases, or run security scans against repositories you do not own or administer.

Current evidence snapshot

  • Public npm package: maintainerops-ai, latest v0.1.4.
  • GitHub Marketplace Action: MaintainerOps AI, latest v0.1.6.
  • GitHub releases: v0.1.0, v0.1.1, v0.1.2, v0.1.3, v0.1.4, v0.1.5, and v0.1.6.
  • Security evidence: initial Codex Security report, fix report, focused rescan, and full repository-wide rescan.
  • Workflow evidence: successful manual, pull-request-triggered, and issue-triggered GitHub Actions runs, including the v0.1.4 hardening PR and post-application maintenance checks.
  • Maintainer workflow evidence: issues #1-#4 triaged and closed, issue #6 open for Marketplace/external maintainer feedback, issue #11 tracks the v0.1.4 hardening release, and real repository review packets published.
  • Verification gate: npm run verify includes typecheck, lint, format, unit tests, UI smoke test, evals, package dry run, publint, and npm audit.

Why this exists

Open-source maintenance work is repetitive and high-stakes:

  • Review pull requests for risk, test gaps, and security-sensitive changes.
  • Triage issues into actionable labels and missing-information requests.
  • Summarize dependency, CodeQL, Semgrep, and package audit output when maintainers provide those findings through issues or fixtures.
  • Draft release notes from merged pull requests and breaking changes.

MaintainerOps AI uses the OpenAI API to reduce the reading and drafting load while keeping maintainers in control.

Quick start

Install from npm:

npm install -g maintainerops-ai
maintainerops analyze --fixture examples/fixtures/pull_request.json --format markdown --offline

Run from source:

npm install
npm run build
npm run demo

Full local verification:

npm run verify

With the OpenAI API enabled:

set OPENAI_API_KEY=<your-openai-api-key>
set OPENAI_MODEL=<supported-openai-model>
npm run build
node dist/cli.js analyze --fixture examples/fixtures/pull_request.json --format markdown

If OPENAI_MODEL is omitted, the CLI uses its built-in default model. Set the variable explicitly when your organization has standardized on a specific supported OpenAI model.

Against GitHub:

set GITHUB_TOKEN=<your-github-token>
node dist/cli.js analyze --repo owner/project --pull 123 --authorized --format markdown
node dist/cli.js analyze --repo owner/project --issue 456 --authorized --format json

If OPENAI_API_KEY is not set, the CLI falls back to deterministic offline heuristics so maintainers can test the workflow without spending credits.

What the AI returns

The model is asked to return a strict structured object:

  • summary: maintainer-ready summary
  • riskLevel: low, medium, high, or critical
  • labels: suggested labels
  • recommendedAction: next maintainer action
  • reviewChecklist: concrete review checks
  • securityNotes: security-sensitive observations
  • releaseNotes: release-note draft fragments
  • commentDraft: optional GitHub comment draft

Safety posture

  • Dry-run by default.
  • Minimal GitHub permissions.
  • Secret redaction before model calls and report serialization.
  • Live GitHub analysis requires explicit authorization.
  • Pull request CI runs in offline/no-secret mode by default.
  • GitHub Actions stdout neutralizes workflow-command syntax from untrusted model text.
  • No automatic merge, close, release, or external scan.
  • Audit-friendly JSON output with redacted work-item content.
  • Optional API use; offline mode works for CI validation.

Dashboard prototype

npm run dev

Open the printed local URL to review the Security Review Workbench UI.

Security Review Workbench demo

Static preview: security-review-workbench.png

Security review evidence

Application materials

GitHub Action

Use MaintainerOps AI as a read-only GitHub Action to generate review packets during pull request and issue triage.

name: MaintainerOps AI

on:
  pull_request:
    types: [opened, synchronize, reopened]
  issues:
    types: [opened, edited]

permissions:
  contents: read
  pull-requests: read
  issues: read

jobs:
  review-packet:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          persist-credentials: false
      - uses: rtonf/[email protected]
        with:
          mode: ${{ github.event_name == 'pull_request' && 'pull_request' || 'issue' }}
          repo: ${{ github.repository }}
          number: ${{ github.event.pull_request.number || github.event.issue.number }}
          format: markdown
          offline: true
          authorized: true

Trying this from GitHub Marketplace? Please leave early maintainer feedback on Issue #6 after running either the Action or the npm CLI.

Marketplace listing summary:

MaintainerOps AI helps open-source maintainers turn pull requests and issues into human-reviewed triage packets with risk level, labels, review checklist, security notes, release-note hints, and a draft response. It is read-only by design, requires explicit authorization for live repository analysis, and does not merge, close, label, or publish anything automatically.

See action.yml, Marketplace listing notes, and the safe no-secret pull request workflow example at docs/github-workflows/maintainerops.yml.

OpenAI alignment

This project is designed for the exact OSS maintenance workflows that the Codex for Open Source program describes: pull request review, issue triage, release workflows, maintainer automation, and security/code-quality support.