npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

npm-audit-fix-message

v0.3.0

Published

Generate version-aware commit messages for npm audit fix changes.

Readme

npm-audit-fix-message

Generate version-aware commit messages for npm audit fix changes.

This is a small dependency-free CLI for the case where a human runs npm audit fix locally and wants a commit message similar to a dependency-update bot PR:

build: update vulnerable npm packages

- fixture-parser (dev; critical; 1.1.0 - 1.8.3; 1.8.3 -> 1.8.4)
  - Fixture parser mishandles quoted input - https://github.com/advisories/GHSA-aaaa-bbbb-cccc
  - via package.json: apps/gui devDependency fixture-tool (2.3.1 -> 2.4.0)

Usage

Run the whole flow:

npx npm-audit-fix-message --fix

That command:

  1. runs npm audit --json and keeps the pre-fix result in memory,
  2. reads the current package-lock.json,
  3. runs npm audit fix,
  4. compares the old and new lockfiles,
  5. prints a commit message to stdout.

Because this mode runs npm audit fix, it can modify package-lock.json and possibly package.json, depending on what npm decides is needed. Run it from the project you want to update, preferably with a clean working tree so the resulting lockfile changes are easy to review.

If npm audit fix applies some lockfile updates but exits non-zero because other vulnerabilities remain, this command still prints a commit message for the actual lockfile changes and writes a warning to stderr. Remaining vulnerabilities are not listed as fixed. The full npm audit fix report is suppressed so the generated commit message stays easy to copy; run npm audit afterward to inspect the remaining issues. To avoid claiming unresolved advisories were fixed, --fix also checks post-fix audit output and omits advisory URLs that are still reported as vulnerable.

Generate from a saved audit output:

npm audit --json > tmp/npm-audit-before.json
npm audit fix
npx npm-audit-fix-message --audit tmp/npm-audit-before.json

--audit accepts either npm audit --json output or the relevant text block from npm audit --verbose.

Write the generated message to a file as well as stdout:

npx npm-audit-fix-message --audit tmp/npm-audit-before.json --message-file .git/COMMIT_EDITMSG

Options

  • --fix: run npm audit --json, then npm audit fix, then generate output.
  • --audit <file>: read saved audit output instead of running audit.
  • --base <rev>: revision used to read the old lockfile when not using --fix. Defaults to HEAD.
  • --lockfile <path>: lockfile path. Defaults to package-lock.json.
  • --message-file <path>: also write the generated message to a file.

Limits

  • This tool is not a replacement for Dependabot, Renovate, or CI audit policy.
  • It only compares npm lockfiles and audit output.
  • It reports packages that both changed in the lockfile and had concrete advisory entries in the pre-fix audit output.
  • It omits audit graph nodes that only point to other vulnerable packages.
  • When possible, it lists package.json or workspace package.json dependencies that pull in the fixed package as nested via package.json lines. If that direct dependency's installed lockfile version changed, the line includes its old and new versions.
  • If npm audit fix exits non-zero after changing the lockfile, --fix treats the changed packages as a partial success and warns that issues may remain. It omits advisories that are still present in post-fix audit output.
  • It does not print npm's full audit report. If npm audit fix fails without lockfile changes, the error includes npm's stderr when available and otherwise asks you to run npm audit for details.
  • npm audit --json can exit non-zero when vulnerabilities are present; this is expected, and the CLI uses the JSON output when npm provides it.