npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

next-secure-check

v0.2.1

Published

Deterministic security checks for Next.js projects. No AI required.

Downloads

385

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

setrathexsetrathex

Keywords

nextjssecurityscannerstatic-analysissast

Readme

next-secure-check

Deterministic security checks for Next.js projects. No AI required.

Run a quick static security sanity check before deploying a Next.js app.

Usage

Recommended one-off usage:

npx --yes next-secure-check@latest scan . --preset app

For reproducible CI runs, pin the version:

npx --yes [email protected] scan . --preset app

Or run without installing:

npx --yes next-secure-check@latest scan .

Global install is also supported:

npm install -g next-secure-check
next-secure-check scan .

If an older global install is present, unversioned npx next-secure-check can sometimes reuse the old binary and fail on v0.2 options such as --preset. Check and remove the global install when needed:

next-secure-check --version
npm list -g next-secure-check
npm uninstall -g next-secure-check
npm cache verify

Presets

Use presets to choose the right signal/noise tradeoff:

npx --yes next-secure-check@latest scan . --preset app
npx --yes next-secure-check@latest scan . --preset strict
npx --yes next-secure-check@latest scan . --preset ci
  • app: production app-code focused scan
  • strict: broad aggressive review with context tuning off
  • ci: practical pull request checks

Other presets are available for default, audit, library, and monorepo workflows.

--preset was added in v0.2.0. Prefer npx --yes next-secure-check@latest for local one-off scans, or pin [email protected] in CI.

Output Formats

npx --yes next-secure-check@latest scan .
npx --yes next-secure-check@latest scan . --format json
npx --yes next-secure-check@latest scan . --format markdown --output report.md
npx --yes next-secure-check@latest scan . --format github
npx --yes next-secure-check@latest scan . --format sarif --output report.sarif

github output is designed for GitHub Actions Step Summary usage. SARIF output can be uploaded to GitHub Code Scanning.

GitHub Actions

Local terminal scans are manual. GitHub Actions scans are automatic after you add a workflow file to your repository; then GitHub runs the scan on the configured push or pull request events. next-secure-check does not scan repositories on its own.

Basic Step Summary workflow:

name: next-secure-check

on:
  pull_request:
  push:
    branches: [main]

jobs:
  security-check:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Run next-secure-check
        shell: bash
        run: |
          set -o pipefail
          npx --yes [email protected] scan . --preset app --format github --fail-on high | tee -a "$GITHUB_STEP_SUMMARY"

SARIF / GitHub Code Scanning workflow:

name: next-secure-check SARIF

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  security-check:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Run next-secure-check SARIF
        run: npx --yes [email protected] scan . --preset app --format sarif --output next-secure-check.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: next-secure-check.sarif

Failure Gates

npx --yes next-secure-check@latest scan . --fail-on high
npx --yes next-secure-check@latest scan . --fail-on critical

--fail-on critical is a scan risk-level gate. It exits with code 1 only when the scan summary risk level is critical. Other values, such as high, medium, low, and info, work as severity thresholds.

v0.2.0 Highlights

  • Context-aware scanning with finding context metadata
  • Preset system for app, strict, CI, audit, library, and monorepo scans
  • AST-assisted checks for command execution, raw SQL, dangerous HTML rendering, and password handling
  • Reduced noisy findings in large monorepos and tooling-heavy repositories
  • GitHub Actions and SARIF support

Honest Note

Findings are review signals, not proof of exploitation or a full security audit. False positives and false negatives are possible, especially in large monorepos, generators, templates, and tooling-heavy repositories.

See the main repository for rule documentation, web demo notes, and validation details:

https://github.com/SetraTheXX/next-secure-check