npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pocketbase-security

v0.2.0

Published

Audit PocketBase projects for permissive API rules. Detects empty rules, over-permissive auth.id != '' grants, missing admin gates. Active probe confirms leaks live with anonymous fetch.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

renzom13renzom13

Keywords

pocketbasesecurityauditapi-rulesrls

Readme

PocketBase Security Auditor

Audit any PocketBase instance for over-permissive API rules. Get a shareable HTML report with a fix snippet on every finding. The active probe fetches data anonymously to PROVE leaks live — not just infer them.

Run it without installing anything → apify.com/renzomacar/pocketbase-security-auditor (paste PocketBase URL + admin email/password, get HTML report)

⚡ Want me to run it for you and send back a written report? $99, 24h delivery → https://perufitlife.github.io/supabase-security-skill/ (one landing covers all five — Supabase, PocketBase, Appwrite, Hasura, Firebase)

Why this exists

PocketBase API rules are easy to write and easy to leave too open. Three patterns I see over and over:

  • Empty rule — leaving listRule blank means the collection is fully public. Anyone can list every record without auth.
  • @request.auth.id != "" — looks restrictive but lets ANY logged-in user (including a self-signed-up anonymous one) read or write the entire collection.
  • true literal — leftover from local dev, evaluates to "always allow."

This auditor surfaces all three across every collection in one command.

Install + run

npx pocketbase-security \
  --url https://my.pocketbase.io \
  --email [email protected] \
  --password $PB_ADMIN_PASS \
  --html report.html

Or via env vars:

POCKETBASE_URL=https://my.pb.io \
[email protected] \
POCKETBASE_ADMIN_PASSWORD=$PB_ADMIN_PASS \
npx pocketbase-security --html report.html

What it checks

| # | Check | Severity | |---|---|---| | 1 | API rule is empty (collection is fully public for that op) | CRITICAL | | 2 | API rule is @request.auth.id != "" (any logged-in user passes) | HIGH | | 3 | API rule contains true literal (bypasses all checks) | HIGH | | 4 | Auth collection has open signup + lax create rule (combo) | HIGH | | 5 | OAuth2 provider enabled without redirect URL whitelist | MEDIUM | | 6 | Email auth without verification requirement | MEDIUM | | 7 | S3 storage with debug-level logging risk | LOW |

Every finding ships with a fix snippet you paste back into the PocketBase admin UI.

Active probe

Default: ON. After identifying a suspect collection (empty rule, permissive auth, dangerous literal), the auditor sends an anonymous GET to /api/collections/{name}/records?perPage=1. If the request returns data, the finding is marked confirmed: true with a sample showing the row count, columns visible, and bytes leaked.

Pass --no-probe to skip the live fetch (passive mode only, infers from rule metadata).

Output

  • HTML report — self-contained (~25KB Tailwind + Chart.js via CDN). Top banner shows X of N suspected leaks confirmed live. Every finding card has a red "CONFIRMED LEAK" block when the probe succeeded.
  • JSON — full structured findings (default stdout output if no --html flag).

How to get an admin password

You created one when you initialized PocketBase. If you forgot, reset it via the PB CLI on the host machine: ./pocketbase admin update <email> <new-password>.

The password is used only for this run's admin auth call (collections endpoint requires admin token). The auditor never persists it.

License

MIT. Free, open source. Built by @Perufitlife.

For Supabase, see the sibling tool: https://github.com/Perufitlife/supabase-security-skill