npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

projectlens

v1.0.6

Published

Local lint, type-check & AI security dashboard for JS/TS projects

Readme

Projectlens CLI

Local lint, type-check & AI security dashboard for JS/TS projects (Next.js, SvelteKit, Vue, plain Node).

| | | |---|---| | Overview | Lint |

Run one command inside any project and Projectlens runs your real ESLint and TypeScript toolchain, audits your dependencies, runs an AI security review over your source, and opens a live dashboard at localhost:4321.

projectlens                 # run checks + open the dashboard
projectlens --no-ai         # skip the AI security pass (lint + types only)
projectlens --ci            # run once, print summary, exit non-zero on issues
projectlens --json          # print the full report as JSON and exit
projectlens --min-score 80  # in --ci mode, fail if health score < 80

What the dashboard shows

The dashboard turns one run into a navigable workspace:

  • Overview — composite health score, severity breakdown, and per-category summaries.
  • Trends — an interactive multi-metric chart and per-run history table built from the local .projectlens/ run history (deltas, peak/low/avg).
  • Code quality — Lint, Types, and Tests findings from your real toolchain.
  • Security — AI security review with severity sub-tabs (Critical → Info).
  • Dependencies — real CVE advisories with fix-version guidance.
  • Database — schema inspection plus a foreign-key relationship graph.
  • API surface — a map of detected routes (Next, Express, Hono, Fastify, SvelteKit, Nuxt) with method, auth, and validation coverage.
  • Auth, Environment, Network, Git/CI, Docs — focused panels for each area.
  • Task Manager — a built-in kanban board (see below).

Task Manager (dashboard-only)

Every finding has a Track task action — in its detail sheet and inline on each list row. Tracking adds it to a kanban board and marks the row so you can see what's already on your worklist at a glance.

  • Custom columns — rename/delete the defaults (To do / In progress / Done) and add your own; drag cards between columns to change status.
  • Groups/tags — file tasks under labels like "This sprint" or "Tech debt" and filter by them; create a group inline while tracking.
  • Detail — click a tracked finding to reopen its full analysis; click a free-form task to edit its column, priority, group, and notes.

The board is stored only in your browser (localStorage) — it never leaves your machine or reaches the CLI. Manage or reset it from Settings → Task board.

Screenshots

| | | |---|---| | Overview | Lint | | Type | Trend | | Dependencies | Statistics | | Security | Database | | Git | Task Manager | | Details | Docs |

How it works

cli.ts            entry point + flag parsing (commander)
run.ts            orchestrates the pipeline, emits streaming events
detect.ts         reads package.json → framework + package manager
runners/eslint.ts spawns your local eslint, parses --format json
runners/tsc.ts    spawns tsc --pretty false, parses the diagnostic chain
runners/audit.ts  npm/pnpm/yarn audit --json → real CVE advisories
ai/audit.ts       AI SDK security review (code) + dependency prioritization
report.ts         weighted composite health score
store.ts          local run history in .projectlens/ (powers trends)
server.ts         local HTTP + WebSocket server that serves the dashboard

The dashboard (the Next.js app one level up) is prebuilt into cli/public and served statically, so the installed tool has no runtime build step.

Building

# from the cli/ package
pnpm install
pnpm build          # builds the dashboard into ./public, then bundles the CLI

pnpm build runs two steps:

  1. build:dashboard — static-exports the Next.js dashboard (with PROJECTLENS_EXPORT=1) and copies it into cli/public.
  2. tsup — bundles src/ into dist/.

Installing it into your own projects

Local link (best while iterating on the tool):

cd cli
pnpm build
pnpm link --global

cd ~/your-project
projectlens

Run directly by path (no linking):

node ~/path/to/cli/dist/cli.js

Publish (optional, for npx projectlens):

cd cli
npm publish

AI security audit

The AI pass needs a model key. Projectlens uses the Vercel AI Gateway, so set one of:

export AI_GATEWAY_API_KEY=...   # recommended
# or
export OPENAI_API_KEY=...

By default the audit runs on a free OpenRouter text model (meta-llama/llama-3.3-70b-instruct:free) and automatically falls back to google/gemini-2.5-flash if the primary model errors or is rate-limited, so the review keeps working out of the box. Override either via env or .projectlensrc:

export PROJECTLENS_MODEL=openai/gpt-5-mini           # primary model
export PROJECTLENS_FALLBACK_MODEL=anthropic/claude-haiku-4

Without a key, lint + type-check + dependency advisories still run; only the AI code review and prioritization are skipped (--no-ai silences the warning). Only the selected security-relevant source files are sent to the model.