npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

repopilot

v0.17.0

Published

Local-first CLI for reviewing Git changes, security boundaries, and blast radius before merge.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cherven93cherven93

Keywords

cliauditcode-reviewstatic-analysisarchitecturereact-native

Readme

RepoPilot

Crates.io npm CI GitHub Release License

Review what you or an AI agent changed before you merge.

RepoPilot is a fast, local-first Rust CLI for Git change review. It flags security-boundary changes, behavioral and algorithmic shifts, taint-lite flows, and blast radius so maintainers can focus on the parts of a diff that deserve extra attention. It is deterministic, runs entirely on your machine, and can be called by coding agents over MCP. Nothing is uploaded.

git diff -> boundary + behavior + taint + blast radius -> review or CI gate

RepoPilot reports structural evidence, not a security verdict. Use it beside tests, linters, type checkers, and dedicated security tools.

Install

cargo install repopilot
# or
npm install -g repopilot

Homebrew, curl, GitHub Releases, and source builds are documented in Installation.

Review A Change

Review the working tree against HEAD:

repopilot review .

Review a branch before merge:

repopilot review . --base origin/main

RepoPilot groups review evidence into confidence tiers:

  • security boundaries: access control, request trust, deploy surface, supply chain, and secret configuration;
  • behavioral changes: network, subprocess, filesystem, SQL, dependencies, migrations, removed error handling, or removed auth checks;
  • algorithmic changes: deeper nesting, nested loops, growth, or recursion;
  • taint-lite flows: changed request or process input reaching SQL, exec, filesystem-write, or outbound-network sinks;
  • blast radius: files that import a changed file.

All review signals ship at preview. They are advisory by default; enable the explicit high-confidence gate with:

repopilot review . --base origin/main --fail-on-review definitely

For a complete agent run:

repopilot snapshot
# let the agent or developer work
repopilot review --since-snapshot

Full Repository Audit

The broader scan remains available for repository adoption and CI:

repopilot scan .
repopilot baseline create .
repopilot scan . \
  --baseline .repopilot/baseline.json \
  --fail-on new-high

Default scans hide broad maintainability noise. Use --profile strict for the full audit surface.

AI Handoff

When you want an external assistant to drive a fix, repopilot ai context turns a scan into one compact, copy-paste-ready Markdown handoff — locally, with no network or LLM calls:

repopilot ai context .
repopilot ai context . --focus security --budget 8k
repopilot ai context . --no-task --output ai-context.md   # fact-only, for embedding

The handoff bundles everything an assistant needs in one document: repository facts and risk, the findings with evidence, a prioritized P0–P3 remediation plan with the Context Risk Graph edit order, working rules, and a verification checklist. Three controls shape it:

  • --focussecurity, arch, quality, framework, or all (default);
  • --budget2k/4k/8k/16k or an integer token target (default 4k, roughly four characters per token), so the output fits your model's context;
  • --output FILE — write Markdown to a file instead of stdout (or pipe to your clipboard, e.g. | pbcopy). Pass --no-task to drop the agent guidance and emit fact-only context.

MCP Server

repopilot mcp exposes that context — fact-only, the way --no-task emits it — plus review, scan, and explain, as tools over stdio so coding agents can call it directly:

claude mcp add repopilot -- repopilot mcp --root .

The MCP server is synchronous, root-confined, and makes no network or LLM calls. See MCP server.

Distribution

Official CLI channels are crates.io, npm, Homebrew, and GitHub Releases. Editor extensions and PyPI packages are not supported distribution channels.

Documentation

Development

cargo fmt --all -- --check
cargo clippy --all-targets --all-features -- -D warnings
cargo test --all
npm run release:contract
./scripts/smoke-product.sh

License

RepoPilot is licensed under MIT OR Apache-2.0.