npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

narc-cli

v1.2.3

Published

NARC (Network Audit and Risk Checker) - A high-performance security auditing CLI tool for deep heuristics and comprehensive code inspection.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

nash_504nash_504

Keywords

securityauditcliscannervulnerabilitiesstatic-analysissecretsdependencies

Readme

NARC (Network Audit and Risk Checker)

NARC is a high-performance security auditing command-line tool designed for deep analysis and risk assessment of Node.js projects. It identifies security vulnerabilities, leaked secrets, and dangerous code patterns through static analysis and dependency auditing.

███╗   ██╗ █████╗ ██████╗  ██████╗
████╗  ██║██╔══██╗██╔══██╗██╔════╝
██╔██╗ ██║███████║██████╔╝██║     
██║╚██╗██║██╔══██║██╔══██║██║     
██║ ╚████║██║  ██║██║  ██║╚██████╗
╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝

Features

  • Static Analysis (AST): Inspects source code using acorn to identify dangerous function calls (eval, exec, spawn, etc.) and unhandled async errors.
  • Secret Detection: Dual-layer detection — secretlint rule sets + custom regex patterns for AWS keys, GitHub PATs, Stripe keys, JWTs, database URLs with credentials, and more.
  • Environment Variable Safety: Flags process.env.VAR access without fallbacks, committed .env files, and loose NODE_ENV comparisons.
  • CORS Misconfiguration: Detects wildcard origins, reflected origins, origin: true, catch-all regexes, and the dangerous credentials: true + wildcard combo.
  • Dependency Auditing: Performs deep inspection of dependencies to identify vulnerabilities. Integrates with npm audit and handles projects without lockfiles gracefully.
  • GitLeaks Integration: Scans repository history for compromised credentials using industry-standard rules.
  • Async Error Handling: AST-based detection of await outside try/catch, .then() without .catch(), and async functions with no error handling.

Installation

Using Bun (Recommended)

Since NARC is built for high-performance using the Bun runtime, this is the preferred installation method:

bun install -g narc-cli

Or run it instantly without installation:

bunx narc-cli

Using npm

You can also install via npm, provided you have bun installed on your system:

npm install -g narc-cli

Or run via npx:

npx narc-cli

Usage

Navigate to your project root and execute the narc command:

narc

Options

You can customize NARC's behavior with the following flags:

  • narc --diff: Fast Mode. Only scans files that currently have uncommitted Git changes (via git diff). Ideal for pre-commit hooks.
  • narc --json: Machine Automation. Outputs the full vulnerability report as a raw JSON array. Disables UI spinners and colors.
  • narc --quiet: Quiet Mode. Disables the startup logo, colors, and loading spinners. Useful for cleaner CI/CD logs.

.narcignore

If NARC is flagging files you intentionally want to skip (like legacy files, or test fixtures), create a .narcignore file in your project root. Any file path containing a line from this file will be completely skipped.

tests/fixtures/
legacy-auth.js

Automation

NARC is built for CI/CD pipelines. It automatically disables UI spinners and returns a non-zero exit code (1) if it detects any High or Critical vulnerabilities.

Recent Improvements

  • Robust Dependency Auditing: Now gracefully handles projects without lockfiles and limits noisy npm audit stderr output.
  • Independent Git History Scanning: Removed dependency on local package.json scripts; now uses npx to run scanners directly for higher reliability.

NARC utilizes several industry-standard tools to provide its comprehensive security report:

  • Acorn: JavaScript parsing for AST analysis.
  • Secretlint: Pluggable secret linting.
  • Gitleaks: Secrets-in-commits detection.
  • Clack: CLI interaction management.

License

ISC License. See the LICENSE file for details.