npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

rederive

v0.3.1

Published

The trust-nothing package manager. A rederive package ships its CONTRACT (spec + held-out oracle), not trusted bytes — verify the shipped code against it, or re-derive it locally from the spec.

Readme

rederive — the trust-nothing package manager

A SIR package ships its contract — a structural spec (sir/) + a held-out oracle (oracles/) — not bytes you have to trust. A consumer either verifies the shipped implementation against that contract, or rebuilds it locally from the spec. Either way, the thing you trust is an independent oracle the publisher can't move, not the publisher's binary.

npm registry:          you install a prebuilt artifact and TRUST the publisher (and everyone upstream).
rederive:                 you get a spec + a held-out oracle. You verify the bytes, or regenerate them yourself.

Open core, for real. The CLI, the SIR format, the verified-recompose loop, and the public catalog are Apache-2.0 and stay that way. What's open and what we'll ever charge for — and the things we promise never to do to the community — are written down and binding in The rederive Promise.

The two operations

| command | what it does | tokens | |---|---|---| | rdv check <pkg> | re-run each unit's held-out oracle against src/, and verify the recorded content hashes. Deterministic. | none | | rdv vis <pkg> | (re)generate vis.html — what's in the package, each unit's kind/signature/proof, provenance, limitations. | none | | rdv resynth <pkg> | rebuild src/ locally from sir/ + oracles/ via N isolated quorum workers (original deleted), then re-verify. | torches tokens |

check is the load-bearing trust primitive — and it's deterministic and free. The oracle is held-out (the implementation never saw it), so passing it is evidence of behavior, not of matching a snapshot.

A second mode: verified normalization (rdv normalize)

The catalog re-derives a unit from a compact contract. But some code has no compact contract — a 2,000-line promise machine, a stateful HTTP client, a concurrent coordinator. For those you don't delete the original; you keep it running as the oracle, propose a firewall-clean factoring, and verify the new structure reproduces the original on generated, held-out scenarios it never saw. You modernize a tangle and prove you didn't change its behavior. (Mode 1 guards against hallucination; Mode 2 guards against an incomplete refactor.)

It reaches the parts that defeat a compact contract: timers verify on virtual time, the event loop is injected and replayed, and genuinely concurrent code is verified by owning the message scheduler and checking the space of interleavings — exhaustively for small inputs, partial-order-reduced beyond.

Status (honest): the method is validated on real modules — debug, q, request's redirect state machine (256/256 on generated + held-out scenarios), p-map (concurrency contract verified across the whole interleaving space for small inputs, POR-scaled beyond). rdv normalize as a one-command workflow is being built — it is not a shipping CLI command yet.

Why it's a supply-chain defense

The oracle is an independent source of truth nobody upstream can edit. Tamper with the shipped src/ — a sabotage, a malicious patch, a subtle regression — and check catches it two ways at once:

$ rdv check packages/colors          # after flipping one character in src/strip.js
  ✗ FAILED  strip
     held-out 5/10 miss=[ho_combined_sgr_leading,ho_csi_clear_screen,…]   hashes MISMATCH (src:false …)
  VERIFICATION FAILED — do not trust this src; rebuild with: rdv resynth packages/colors

The behavioral oracle catches what changed; the content hash catches that anything changed at all.

First package: @rederive/colors

A verified-recompose of [email protected] — the last release before the Jan-2022 maintainer sabotage of colors/faker that broke thousands of builds. The exact case this model is for: an abandoned-but-load-bearing package you can't trust to a maintainer.

  • strip — zero-dependency, quorum-verified (3/3), 10 frozen / 10 held-out. Behavior-locked to the original including its limitation: it removes only single-parameter SGR codes — CSI/OSC terminal-injection escapes survive (see packages/colors/README.md). The oracle documents that, so the contract is honest about what the code does and doesn't do.
npm install            # tsx
npm run check          # rdv check packages/colors  → ✓ VERIFIED
npm run vis            # writes packages/colors/vis.html

Package layout

packages/<name>/
  sir.manifest.json   provenance (source + sha256), units[], per-unit oracle/src/sir hashes, verify status
  sir/<unit>.sir      the spec skeleton (kind, signature, oracle pointer; original deleted)
  oracles/<unit>.json frozen (in-prompt) + held-out (graded) vectors — expecteds stamped by EXECUTION
  src/<unit>.js       the verified, quorum-passed, zero-dep implementation
  vis.html            generated by `rdv vis`
  package.json        zero-dep

Status (honest)

  • check + vis — deterministic, done, self-contained (needs only tsx).
  • resynth — the local token-torching rebuild. The re-emit substrate is not wired into this CLI: a plain CLI can't spawn Claude Code subagents. Drive it via the sir-verify skill from the sir Claude Code plugin (/plugin marketplace add rederive/sir-toolkit/plugin install sir@sir-toolkit), or a direct Messages-API worker; then rdv check must pass and the manifest srcSha256 is updated. rdv build (AOT/native) is reserved.
  • Built on the SIR verified-recompose toolkit (decompile → kind-graph → held-out oracle → quorum re-emit).

The ecosystem

| artifact | what | where | |---|---|---| | rdv (this repo) | the trust-nothing verifier | npm rederive | | sir-factory | the build orchestrator | npm · repo | | sir plugin | Claude Code skills & agents (sir-verify, preflight) | repo | | SIR Schema | the normative spec (v0.4) | repo · narrative |