npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

shippingszn

v0.8.0

Published

Read-only CLI scanner that checks a project for common pre-launch issues from the shippingszn.com launch checklist.

Downloads

1,113

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

keeptahoeblueishkeeptahoeblueish

Keywords

clilaunchchecklistpreflightsecurityauditscannershipshippingsznvibe-coder

Readme

shippingszn

A small, read-only CLI that scans a project for common pre-launch issues from the shippingszn.com launch checklist. Run it before you ship to catch obvious mistakes — leaked API keys, missing robots.txt, no security headers, and so on — and get a friendly report linking each finding back to the matching checklist item.

npx shippingszn
# or
pnpm dlx shippingszn

Run it inside any project root. The CLI never writes, modifies, or deletes any files — it only reads. Everything stays on your machine.

What gets checked

The initial check set is intentionally small and high-signal. Each finding maps back to one of the items on the checklist.

  • Hardcoded API keys across many providers (OpenAI, Anthropic, Stripe, AWS, Google, GitHub, Slack, private key blocks).
  • .env present but not ignored in .gitignore, or .env present but no .env.example.
  • Missing .gitignore, robots.txt, sitemap.xml, or a custom favicon.
  • Missing security-header middleware in common server configs.
  • Dangerous code patterns: unsafe HTML injection in React, runtime code-execution calls, wildcard CORS.
  • Python: common debug-mode slip-ups, hardcoded framework secrets, missing env-var loading.
  • Ruby: unsafe string rendering, hardcoded Rails secrets.
  • Go: http.ListenAndServe without TLS, hardcoded token / apiKey / secret literals.
  • Placeholder content (lorem ipsum, John Doe, [email protected]) and TODO / FIXME / XXX / HACK comments.

Each finding is tagged Critical, High, Medium, or Lower and links back to the relevant checklist item on shippingszn.com.

What does NOT get checked

These are deliberately out of scope for v1:

  • Anything that requires running your app (no live HTTP probing, no auth flows).
  • Auto-fixing problems. The CLI is read-only.
  • Deep static analysis or language-specific lints. Use ESLint, Semgrep, or Snyk for that.
  • Validating your actual third-party dashboards (Stripe spend caps, OpenAI quotas, etc.).

A clean report is not a launch certificate — it just means none of the obvious things tripped a tripwire. Walk through the full checklist before you ship.

Usage

shippingszn [path] [options]

Options:
  --json                Output a machine-readable JSON report.
  --base-url <url>      Base URL used to build links back to checklist items.
  --cwd <path>          Directory to scan. Default: current working directory.
  --no-color            Disable ANSI colors in the human-readable report.
  -h, --help            Show help.
  -v, --version         Print version.

Exit codes

  • 0 — No critical findings.
  • 1 — One or more critical findings detected.
  • 2 — The scanner itself crashed.

This makes the CLI suitable for CI:

# .github/workflows/launch-check.yml
- run: npx shippingszn --json > launch-check.json

Privacy

shippingszn reads files on your machine. It never uploads source code, makes outbound network calls, or phones home. No telemetry. No accounts. Inspect the source or audit npm pack --dry-run to confirm.

License

MIT. See LICENSE.