npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

sdkguard-ai

v3.1.0

Published

Analyze Android APK and iOS IPA files for outdated SDKs. Generates a shareable HTML report with version gaps, breaking changes, risk scores, and QA test cases. Zero external LLM calls.

Downloads

121

Readme

SDKGuard-AI — v3.1.0

Analyzes Android APK and iOS IPA files for outdated third-party SDKs, CVE vulnerabilities, and upgrade risk.
Generates shareable HTML + JSON reports with version gaps, breaking changes, risk scores, and QA test cases.

Zero external LLM calls. All analysis is deterministic code.

# Run instantly without installing
npx sdkguard-ai MyApp.apk

# Or install globally
npm install -g sdkguard-ai
sdkguard MyApp.apk

What's New in v2.1.0

| Feature | Details | |---|---| | 🐦 Flutter APK support | Detects Flutter apps via libflutter.so, scans DEX for plugin registrations, looks up versions on pub.dev | | 📋 JSON report | Every analysis saves both .html and .json — ready for CI/CD, dashboards, integrations | | 🔒 CVE / Vulnerability scanning | Checks every detected SDK against the OSV database (free, no API key) — shows severity, affected range, fix version | | 🔍 Improved analysis accuracy | Tighter detection patterns eliminate false positives; AXML parser extracts package name & version from binary AndroidManifest | | 📦 Auto-detection (no registry needed) | IPA: every .framework is auto-detected and looked up on CocoaPods. Flutter: every plugin is auto-detected and looked up on pub.dev | | 📱 App metadata in report | Package name, version, platform, Min SDK / Min iOS shown in the report hero |


How It Works

APK / IPA
    │
    ▼
Extract SDKs ──────────────────────────────────────────────────────────────────────┐
  Android: DEX string scan · .properties files · AXML manifest parser              │
  iOS:     .framework/Info.plist (binary + XML plist) · auto-detect all frameworks │
  Flutter: libflutter.so detection · DEX plugin error strings · class descriptors  │
    │                                                                               │
    ▼                                                                               │
Fetch Latest Versions                                                               │
  Android SDKs → GitHub Releases / Google Maven / Maven Central                    │
  iOS SDKs     → CocoaPods trunk API                                               │
  Flutter      → pub.dev API                                                        │
  Unknown iOS  → CocoaPods auto-lookup by framework name                            │
    │                                                                               │
    ▼                                                                               │
Check CVEs (OSV API — osv.dev)                                                     │
  Per SDK: severity · CVSS score · affected version range · fix version            │
    │                                                                               │
    ▼                                                                               │
Parse Changelogs (GitHub Releases API)                                             │
  Breaking changes · deprecated APIs · permission changes — regex only, no LLM    │
    │                                                                               │
    ▼                                                                               │
Score Risk · Generate QA Test Cases                                                │
    │                                                                               │
    ▼                                                                               │
Build Reports                                                                       │
  HTML — self-contained, shareable, printable to PDF                               │
  JSON — structured, CI/CD-ready                                                   │
└──────────────────────────────────────────────────────────────────────────────────┘

What It Detects

Registered SDKs (full changelog + risk analysis)

| Category | SDKs | |---|---| | Analytics | Firebase Analytics, Mixpanel, Amplitude, Segment, Microsoft Clarity, Qualtrics | | Crash Reporting | Firebase Crashlytics, Sentry, Bugsnag | | Push Notifications | Firebase Cloud Messaging, OneSignal | | Attribution | Adjust, AppsFlyer | | Deep Linking | Branch | | Engagement / CRM | Braze, Intercom, CleverTap, MoEngage | | Ads | Google AdMob, AppLovin MAX, IronSource | | Security | ZDefend (Zimperium) |

Auto-detected SDKs (version lookup only)

| Platform | What | Source | |---|---|---| | iOS | Every .framework inside the IPA not in the registry | CocoaPods trunk API | | Flutter (Android) | Every plugin registered in DEX (GeneratedPluginRegistrant) | pub.dev API |

No registry entry needed — these are discovered dynamically from the binary.


Reports

HTML Report

A single self-contained file — open in any browser, no internet required. Share as a file or print to PDF.

| Section | Description | |---|---| | Hero banner | App name, bundle ID, version, platform, 🐦 Flutter badge (if applicable), Min SDK / Min OS | | Summary stats | SDKs detected / Outdated / Up to date / Unknown / CVEs Found / QA Test Cases | | Security (CVE) | All vulnerabilities regardless of SDK status — severity, fix version, advisory links | | Outdated SDK cards | Installed vs latest, version gap, risk score, release notes link | | Breaking changes | Parsed from GitHub release notes | | Permission changes | New/removed Android permissions or iOS entitlements | | Deprecated APIs | With migration hints | | QA Test Cases | Auto-generated P0/P1 per SDK | | Master QA Checklist | Interactive checkboxes per priority | | Up to Date / Unknown | Status for all remaining SDKs |

JSON Report

Saved alongside the HTML as <name>-<timestamp>.json. Structure:

{
  "generatedAt": "2025-01-01T00:00:00.000Z",
  "app": {
    "name": "MyApp",
    "bundleId": "com.example.myapp",
    "version": "1.2.3",
    "platform": "android",
    "minSdk": 21,
    "filename": "MyApp.apk",
    "fileSizeMB": 45.2
  },
  "summary": {
    "total": 8,
    "outdated": 3,
    "current": 4,
    "unknown": 1,
    "vulns": 2,
    "tests": 12
  },
  "sdks": [
    {
      "name": "Firebase Analytics",
      "status": "outdated",
      "installedVersion": "21.0.0",
      "latestVersion": "22.1.0",
      "versionGap": "1 major, 1 minor",
      "risk": { "level": "HIGH", "score": 9, "label": "High Risk" },
      "vulnerabilities": [...],
      "breakingChanges": [...],
      "testCases": [...],
      "releaseUrl": "https://..."
    }
  ]
}

Flutter Support

SDKGuard automatically detects Flutter apps and scans for plugins:

  1. Detection — presence of libflutter.so in lib/*/
  2. Plugin extraction — scans DEX for:
    • Error strings: "Error registering plugin <pub_name>, <ClassName>"
    • Class descriptors: L<package>/Flutter*Plugin;
    • Asset paths: flutter_assets/packages/<name>/
  3. Version lookup — pub.dev API (pub.dev/api/packages/<name>)
  4. Report — shows 🐦 Flutter badge in hero; plugins listed under "Flutter Plugin" category

Note: Flutter compiles all Dart code into native blobs (kernel_blob.bin, vm_snapshot_data). Plugin versions are generally not embedded in the binary — status shows as "unknown" with the latest pub.dev version for reference.


CVE / Vulnerability Scanning

Every detected SDK is checked against the OSV database (open-source, free, no API key):

  • Severity — CRITICAL / HIGH / MEDIUM / LOW (from CVSS v3/v4 or GitHub Advisory)
  • CVE ID — links to NVD or OSV advisory
  • Affected range — which versions are vulnerable
  • Fix version — minimum version to upgrade to (green highlight)
  • Applies regardless of status — a "current" SDK can still have CVEs

Installation

Option A — npx (no install needed)

npx sdkguard-ai MyApp.apk

Option B — global install

npm install -g sdkguard-ai
sdkguard MyApp.apk

Option C — from source

git clone https://github.com/subrahmanyammarella/sdkguard-ai
cd sdkguard-ai
npm install
node bin/sdkguard.js MyApp.apk

CLI Usage

USAGE
  sdkguard <file.apk|file.ipa> [options]   Analyze an APK or IPA file
  sdkguard check <sdk-name> <version>       Check a single SDK version
  sdkguard list                             List all supported SDKs
  sdkguard --mcp                            Run as MCP server (Claude Desktop)

OPTIONS
  -o, --output <path>   Save HTML report to this path (default: temp file)
  --no-open             Don't open the report in the browser after saving
  -h, --help            Show this help

EXAMPLES
  sdkguard MyApp.apk
  sdkguard MyApp.ipa -o ~/Desktop/report.html
  sdkguard check clevertap 5.2.1
  sdkguard list

Terminal output example:

  SDKGuard · Analyzing MyApp.apk (45.1 MB)

  SDKs detected  : 8
  Outdated       : 3 ⚠️
  Up to date     : 4
  Version unknown: 1
  CVEs found     : 2 🔒
  QA test cases  : 7

  Outdated SDKs:
    🔴 Firebase Analytics           21.0.0     → 22.1.0  (1 major, 1 minor)
    🟡 Sentry                       6.0.0      → 7.3.0   (1 major, 3 minor)
    🟢 Adjust                       4.33.0     → 4.38.1  (5 patch)

  ⚠️  CVEs in detected SDKs:
    🔒 Sentry: CVE-2023-28117 [HIGH] — Sentry's Python SDK unintentionally exposes...

  📄 HTML Report : /tmp/sdkguard-MyApp-1234567890.html (48.2 KB)
  📋 JSON Report : /tmp/sdkguard-MyApp-1234567890.json
  🌐 Opened in browser

Add to Claude Desktop (MCP)

Open ~/Library/Application Support/Claude/claude_desktop_config.json and add:

If installed via npm:

{
  "mcpServers": {
    "sdkguard-ai": {
      "command": "npx",
      "args": ["sdkguard-ai", "--mcp"]
    }
  }
}

If running from source:

{
  "mcpServers": {
    "sdkguard-ai": {
      "command": "node",
      "args": ["/absolute/path/to/SDKGuard-AI/bin/sdkguard.js", "--mcp"]
    }
  }
}

Restart Claude Desktop. The tools are now available in every conversation.


MCP Tools Reference

| Tool | Input | What it does | |---|---|---| | analyze_path | file_path | Primary — analyze APK/IPA from file path directly | | analyze_app | file_base64, filename | Analyze APK/IPA from base64-encoded content | | check_sdk_version | sdk_name, current_version | Quick version check for one SDK | | list_supported_sdks | — | Lists all supported SDKs by category |

Sample Claude prompts

Analyze /Users/me/Downloads/MyApp.apk for outdated SDKs
Check this IPA: ~/Desktop/MyApp.ipa — any CVEs or outdated SDKs?
Is firebase-analytics 20.1.0 outdated?
What SDKs can you detect?

Risk Scoring

Calculated deterministically — no LLM involved.

| Finding | Weight | |---|---| | Breaking change | +3 per finding | | Permission change | +4 per finding | | Config change | +1 per finding | | Deprecated API | +1 per finding | | HIGH severity finding | +3 bonus | | Each major version behind | +2 per major | | Each minor version behind | +0.5 per minor |

| Score | Level | Action | |---|---|---| | 0 | ✅ Up to date | — | | 1–3 | 🟢 Low | Safe with smoke tests | | 4–7 | 🟡 Medium | Regression testing recommended | | 8–12 | 🔴 High | QA sprint before upgrading | | 13+ | 🚨 Critical | Upgrade blocker |


Version Detection Sources

| Platform | SDK family | Source | |---|---|---| | Android | Firebase, Google AdMob | Google Maven (dl.google.com/dl/android/maven2) | | Android | Most SDKs | GitHub Releases API | | Android | Maven-only | Maven Central search API | | iOS | Registered SDKs | GitHub Releases / CocoaPods trunk | | iOS | Auto-detected frameworks | CocoaPods trunk API (by framework name) | | Flutter | All plugins | pub.dev API |

Version extraction from binary (Android):

  1. Root .properties files — Gradle embeds exact per-artifact versions (highest accuracy)
  2. META-INF/*.properties — Maven group/artifact/version coordinates
  3. artifact:version strings in DEX — some SDKs embed these as build-time constants
  4. Binary string scan of DEX files — fallback

Requirements

  • Node.js 18+
  • No API keys required
  • Internet connection for version/CVE lookups (cached per run)