npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ship18ion

v1.2.1

Published

> **"Production Readiness Inspector" for your apps.**

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

champ18ionchamp18ion

Keywords

clisecurityproductionenvsecretsdeploymentlinter

Readme

🚀 ship18ion

"Production Readiness Inspector" for your apps.

ship18ion (read as "ship-tion") is a CLI tool designed to prevent production disasters before they happen. It scans your codebase for environment configuration issues, leaked secrets, dangerous security misconfigurations, and build artifacts that shouldn't be there.

Think of it as eslint but for deployability.

npm version license

✨ Features

  • 🌱 Environment Hygiene:

    • Finds unused variables in your .env files.
    • Detects usage of process.env.VAR that are missing definitions.
    • Supports .env, .env.production and import.meta.env (Vite).

  • 🔐 Secret Detection:

    • Catches hardcoded secrets (AWS keys, Stripe keys, generic private keys).
    • Uses entropy heuristics to find potential secrets hidden in plain sight.
    • Next.js Safety: Warns if NEXT_PUBLIC_ variables contain high-entropy strings (potential accidental leaks).

  • ⚠️ Security & Config:

    • Alerts on debug: true or NODE_ENV mismatches.
    • Detects dangerous CORS configurations (origin: '*').
    • Finds hardcoded database connection strings.

  • 📦 Build Safety:

    • Prevents source maps (.map) from leaking into production builds.
    • Ensures .env files are not bundled into build output directories.
    • Checks for dev dependencies (like eslint) accidentally listed in dependencies.

  • 🧹 Code Hygiene (New):

    • Warns on leftover console.log() calls.
    • Flags FIXME comments that need resolution.

  • 📦 Dependencies (New):

    • Checks for duplicate packages (listed in both dependencies and devDependencies).

  • 🐙 Git Safety (New):

    • Ensures critical files (node_modules, .env) and framework artifacts (.next) are git-ignored.
    • Security: alerts if dangerous keys (e.g. serviceAccountKey.json) exist but are not ignored.

  • 👷 CI/CD Ready:

    • Zero config by default.
    • Returns exit code 1 on failure to block bad builds.

📦 Installation

You can use it directly with npx:

npx ship18ion check

Or install it as a dev dependency:

npm install --save-dev ship18ion

🚀 Usage

Run the check in your project root:

npx ship18ion

CI Mode

For Continuous Integration pipelines (GitHub Actions, GitLab CI, etc.), use the --ci flag for minimal output and standard exit codes:

npx ship18ion check --ci

⚙️ Configuration

ship18ion works out of the box, but you can customize it by creating a ship18ion.config.json file in your root directory:

{
  "env": {
    "required": ["DATABASE_URL", "JWT_SECRET"],
    "disallowed": ["DEBUG_TOKEN"]
  },
  "security": {
    "noCorsWildcard": true,
    "requireRateLimit": false
  },
  "ignore": [
    "**/legacy-code/**",
    "**/test-fixtures/**"
  ]
}

🛡️ Rules Breakdown

| Category | Rule | Description | |----------|------|-------------| | Env | env-unused | A variable is defined in .env but never referenced in code. | | Env | env-missing | A variable is used in code (process.env.X) but not defined. | | Secrets | secret-pattern | Matches regex for known keys (AWS, Stripe, OpenAI). | | Next.js | nextjs-public-secret | High-entropy string found in NEXT_PUBLIC_ variable. | | Security | security-cors | Detects wildcard Access-Control-Allow-Origin. | | Git | git-dirty | Warns if deploying with uncommitted changes. | | Git | git-ignore-missing | Warns if .gitignore is missing critical entries (node_modules, .env). | | Git | git-ignore-auth | Critical: Fails if serviceAccountKey.json etc are not ignored. | | Hygiene | hygiene-console-log | Warns on console.log in production code. | | Hygiene | hygiene-fixme | Warns on leftover FIXME comments. | | Package | package-duplicate | Warns if a package is in both dependency lists. |

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

📄 License

ISC