npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

openapi-sentinel

v0.1.0

Published

Runtime OpenAPI 3.1 request/response validation middleware — detect spec drift live

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

mstuartmstuart

Keywords

openapivalidationmiddlewarespec-driftapi

Readme

openapi-sentinel

Runtime OpenAPI 3.1 request/response validation middleware. Detect spec drift live in staging environments. Zero runtime dependencies.

Motivation

API specifications and implementations drift apart over time. New fields get added without updating the spec, required fields get silently dropped, and response shapes change without notice. openapi-sentinel catches these mismatches at runtime by validating actual HTTP traffic against your OpenAPI 3.1 specification.

Run it in staging to build a drift report before each release. Or run it in development to catch contract violations as you code.

Install

npm install openapi-sentinel

Quick Start

import { createSentinel } from 'openapi-sentinel';
import spec from './openapi.json';

const sentinel = createSentinel({
  spec,
  validate: {
    request: true,
    response: true,
    onViolation: 'warn',
  },
  report: {
    driftReportPath: './drift-report.json',
  },
});

Framework Integration

Hono

import { Hono } from 'hono';
import { createSentinel } from 'openapi-sentinel';

const app = new Hono();
const sentinel = createSentinel({
  spec: myOpenApiSpec,
  validate: { request: true, response: true, onViolation: 'warn' },
});

app.use('*', sentinel.middleware());

app.get('/users', (c) => c.json({ users: [] }));

Generic Web Standards

Any framework that uses the Web Standards Request/Response API:

const mw = sentinel.middleware();

// In your handler:
const response = await mw(request, async () => {
  // your handler logic
  return new Response(JSON.stringify(data), {
    status: 200,
    headers: { 'Content-Type': 'application/json' },
  });
});

Express / Fastify (via adapter)

Wrap the Web Standards middleware with a framework-specific adapter:

// Express example
app.use((req, res, next) => {
  const webReq = new Request(`http://${req.headers.host}${req.url}`, {
    method: req.method,
    headers: req.headers as any,
    body: req.method !== 'GET' ? JSON.stringify(req.body) : undefined,
  });

  const mw = sentinel.middleware();
  mw(webReq, async () => {
    // Let Express handle the actual response
    next();
    return new Response(); // placeholder
  });
});

onViolation Modes

| Mode | Behavior | |------|----------| | 'throw' | Throws an error immediately on first violation. Use in tests or strict development. | | 'warn' | Logs violations via console.warn. Use in staging for visibility without breaking requests. | | 'log' | Logs violations via console.log. Quieter alternative for production-adjacent environments. |

In all modes, violations are accumulated and available via sentinel.getViolations().

Drift Report

When report.driftReportPath is set, openapi-sentinel writes a JSON report of all accumulated violations on process exit:

{
  "generatedAt": "2026-01-15T10:30:00.000Z",
  "totalViolations": 3,
  "violations": [
    {
      "type": "request",
      "method": "POST",
      "path": "/users",
      "issue": "Unknown field: legacyId",
      "timestamp": "2026-01-15T10:25:00.000Z"
    }
  ]
}

Use this in CI to detect spec drift:

node your-staging-tests.js
# After tests, check the drift report
if [ -f drift-report.json ]; then
  violations=$(node -e "console.log(require('./drift-report.json').totalViolations)")
  if [ "$violations" -gt "0" ]; then
    echo "Spec drift detected: $violations violations"
    exit 1
  fi
fi

Direct Validation

For testing or one-off checks without middleware:

const violations = await sentinel.validateRequest(request);
const responseViolations = await sentinel.validateResponse(request, response);
const allViolations = sentinel.getViolations();

What Gets Validated

Requests

  • Required query parameters are present
  • Content-Type matches spec-defined media types
  • Required body fields are present (JSON bodies)
  • No unknown top-level fields (JSON bodies)
  • Scalar field types match (string, number, boolean)

Responses

  • Status code is defined in the spec
  • Content-Type matches spec-defined media types

YAML Specs

openapi-sentinel accepts parsed objects. For YAML specs, parse them first:

import { readFileSync } from 'fs';
import yaml from 'js-yaml';

const spec = yaml.load(readFileSync('./openapi.yaml', 'utf8'));
const sentinel = createSentinel({ spec, validate: { onViolation: 'warn' } });

License

MIT