npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

smith-check

v1.0.3

Published

Scan your AI-built project for common issues before launch — from the Smith rescue community

Readme

smith-check

Scan your AI-built project for common issues before launch.

npx smith-check

No install. No config. Run it in any project directory and get a rescue score with specific findings and fixes.


What it checks

| Check | Severity | What it catches | |-------|----------|----------------| | env-exposure | Critical | Secret keys with NEXT_PUBLIC_ prefix — visible to anyone in DevTools | | gitignore-env | Critical | .env files tracked by git or missing from .gitignore | | service-role | Critical | Supabase service role key used in client-side components | | supabase-rls | Critical | Row Level Security disabled or missing from tables | | stripe-webhook | Critical | Missing signature verification or request.json() breaking signature check | | auth-session | High | getSession() used in server components (use getUser() instead) | | rate-limiting | High | No rate limiting on expensive routes (AI, email, auth) | | middleware | Medium | Missing Next.js middleware — sessions won't persist across requests | | auth-callback | High | Missing or incomplete OAuth callback route |

Each failing check links to the Smith rescue guide and the relevant rescue package.

Example output

Smith Rescue Check v1.0.0
Scanning /path/to/my-app

  CRITICAL
  ✗ Secret key exposed to browser via NEXT_PUBLIC_
    STRIPE_SECRET_KEY has NEXT_PUBLIC_ prefix — visible to anyone who opens DevTools
    Fix: Remove the NEXT_PUBLIC_ prefix. Server-only secrets must never be bundled into client JavaScript.
    → .env.local: NEXT_PUBLIC_STRIPE_SECRET_KEY
    Guide: aismiths.cloud/guides/ai-build-security-checklist

  ✗ Stripe webhook missing signature verification
    Webhook handler does not call stripe.webhooks.constructEvent()
    Fix: Add: const event = stripe.webhooks.constructEvent(body, sig, process.env.STRIPE_WEBHOOK_SECRET!)
    → app/api/webhooks/stripe/route.ts
    Guide: aismiths.cloud/guides/stripe-webhooks-not-firing

  HIGH
  ⚠ getSession() used in server context — use getUser() instead
    Found getSession() in 2 server files
    → app/dashboard/page.tsx:14
    → app/profile/page.tsx:8
    Guide: aismiths.cloud/guides/fixing-supabase-auth-bolt-new

  PASSING (6)
  ✓ .env files protected by .gitignore
  ✓ Supabase service role key not exposed to client
  ✓ Next.js middleware found
  ✓ Auth callback route found and complete
  ✓ No rate-limiting issues detected
  ✓ No Supabase not detected — skipping RLS check

  ────────────────────────────────────────────────────────
  Score: 47/100 — Needs rescue before launch.

  2 failing · 1 warning · 6 passing

  Get it fixed by a Smith:
  → aismiths.cloud/packages#security-audit
  → aismiths.cloud/packages#payment-fix

Options

npx smith-check              # scan current directory
npx smith-check ./my-app     # scan a specific directory
npx smith-check --json       # JSON output (for CI/tooling integration)

Exit codes: 0 = all passing, 1 = one or more failures, 2 = unexpected error.

Use --json to pipe results into other tools or save a report:

npx smith-check --json > rescue-report.json

Using in CI

Add to your GitHub Actions workflow to block merges when critical issues are found:

- name: Smith rescue check
  run: npx smith-check
  # Exits 1 if any check fails — blocks the CI run

Or warn-only (don't block):

- name: Smith rescue check
  run: npx smith-check || true

Contributing a new check

Adding a check takes about 20 minutes. See CONTRIBUTING.md.

Every merged check gets credited in the release notes, and if you're a Smith, your contributor badge appears on your profile.

How checks are structured

Each check is a single TypeScript file that exports one function:

import type { CheckResult, ProjectContext } from "../types.js";

export function checkYourThing(ctx: ProjectContext): CheckResult {
  // ctx gives you: root path, source files, env files, gitignore,
  // package.json deps, and flags for Next.js / Supabase / Stripe
  
  if (somethingBad) {
    return {
      id: "your-check-id",
      label: "Short label shown in output",
      status: "fail",          // "fail" | "warn" | "pass"
      severity: "critical",   // "critical" | "high" | "medium" | "low"
      message: "What's wrong, in one sentence.",
      detail: "How to fix it.",
      locations: ["file.ts:42"],
      guide: "guide-slug",     // links to aismiths.cloud/guides/[guide-slug]
      package: "auth-rescue",  // links to aismiths.cloud/packages#[package]
    };
  }

  return {
    id: "your-check-id",
    label: "All good",
    status: "pass",
    severity: "critical",
    message: "No issues found.",
  };
}

Then register it in src/checks/index.ts. That's it.


Built by Smith — the AI project completion marketplace.
Found a false positive? Open an issue.