npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pagepatcher-vibe-security

v1.0.2

Published

Security audit CLI for vibe-coded apps — by PagePatcher.com

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hi_jessehi_jesse

Keywords

securityauditvibe-codingclistatic-analysispagepatchernextjssupabase

Readme

A CLI tool that scans your codebase for common security vulnerabilities that AI coding assistants introduce. Built by Jesse at PagePatcher.com.

AI assistants are great at building features fast but consistently get security wrong: hardcoding secrets, skipping row-level security, trusting client-submitted prices, storing tokens in localStorage. This tool catches those patterns before they ship.

npx pagepatcher-vibe-security
npx pagepatcher-vibe-security ./my-app

What It Checks

| Category | What It Catches | |---|---| | Secrets | Hardcoded API keys, dangerous NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_ on secrets, missing .gitignore, hardcoded passwords | | Database | Supabase USING (true) RLS policies, Firebase allow: if true, INSERT/UPDATE missing WITH CHECK | | Auth | jwt.decode() without verify, tokens in localStorage, Server Actions without auth check, middleware-only auth | | Payments | Client-submitted prices to Stripe, missing webhook signature verification, request.json() in webhook handler | | XSS | dangerouslySetInnerHTML with dynamic value, innerHTML =, eval(), new Function() | | Path Traversal | fs.readFile / fs.writeFile with user-controlled filenames | | Open Redirects | res.redirect(req.query…), router.push(searchParams.get(…)) | | Rate Limiting | Auth/AI/email endpoints without any rate limiting import | | AI / LLM | AI keys via public env prefixes, direct client-side AI API calls, prompt injection patterns | | Data Access | $queryRawUnsafe, SQL string concatenation, mass assignment, Prisma operator injection, console.log leaks | | Mobile | AsyncStorage for auth tokens, EXPO_PUBLIC_ secrets, direct AI API calls from mobile | | Deployment | CORS wildcard *, source maps in production, missing security headers, full error objects sent to client |

Output

╔══════════════════════════════════════════════════════════╗
║  PagePatcher.com — Vibe-Security — Audit                 ║
║  Scanning: /your/project                                 ║
╚══════════════════════════════════════════════════════════╝

Detected stack: Next.js · Supabase · Stripe

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋  SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  🔴  CRITICAL   3    Fix before deploying
  🟠  HIGH       4    Fix this week
  🟡  MEDIUM     2    Schedule soon
  🔵  LOW        0    Nice to have

  Checked 143 files in 0.4s

Each finding includes: file + line, the offending code, what an attacker can do, and a concrete fix.

Usage

# Scan current directory
npx pagepatcher-vibe-security

# Scan a specific path
npx pagepatcher-vibe-security ./my-app
npx pagepatcher-vibe-security --path ./my-app

# Install globally
npm install -g pagepatcher-vibe-security
pagepatcher-vibe-security

# CI — exits with code 1 if critical/high issues exist
pagepatcher-vibe-security --path . && echo "Clean"

Tech Stack Detection

Scans package.json to auto-detect which checks to run — no config needed:

  • Next.js — auth middleware, security headers, Server Actions
  • Supabase — RLS policies, service_role exposure
  • Stripe — webhook verification, client-side pricing
  • Firebase — security rules
  • React Native / Expo — AsyncStorage, bundle secrets
  • OpenAI / Anthropic / Google AI — key exposure, client-side calls
  • Prisma — operator injection, raw query safety

Exit Codes

| Code | Meaning | |---|---| | 0 | No critical or high issues | | 1 | Critical or high issues found (useful for CI) | | 2 | Could not read directory |

Credits

The security rules in this tool are based on vibe-security-skill by Chris Raroque — an agent skill that defines security audit rules as AI-readable references. We translated those rules into runnable static analysis checks and packaged them as a standalone CLI.

Extended and maintained by PagePatcher.com.

License

MIT — see LICENSE.

Copyright (c) 2025 Chris Raroque
Copyright (c) 2026 PagePatcher.com