npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

thuban

v0.4.14

Published

The safety layer for AI-coded software. Detect hallucinated APIs, ghost code, tech debt, and architecture drift. One command. Minimal dependencies.

Readme

Thuban -- Code Intelligence Scanner

npm version license tests coverage

AI Code Verification — Catch what AI gets wrong.

Static analysis, security scanning, dead code detection, clone detection, AI-generated code scoring, dependency analysis, and mutation testing for 10 languages. One command. Zero runtime dependencies beyond @babel/parser.


Quick Start

npm install -g thuban
thuban scan .

Or run without installing:

npx thuban scan .

JSON output for CI pipelines:

thuban scan . --json

Feature Highlights

Security Analysis

69 detection rules across multiple categories. Cross-file taint tracking follows user input from sources (req.query, req.body, req.params, process.argv, process.env) through assignment, concatenation, and template interpolation to dangerous SQL and XSS sinks -- across file boundaries via require(), import, destructured imports, and re-exports.

thuban scan src/ --json

OWASP Top 10 & CWE Compliance

All security rules (SEC001--SEC019, RUST001--RUST002) map to OWASP Top 10 2021 categories and CWE identifiers. Every finding includes machine-readable owasp and cwe fields in JSON output, enabling direct integration with compliance dashboards and vulnerability management systems.

| OWASP 2021 Category | Rules | CWEs | |-----------------------------------------|----------------------------------------|-----------------------------------| | A01 Broken Access Control | SEC005, SEC013, SEC014 | CWE-22, CWE-942, CWE-601 | | A02 Cryptographic Failures | SEC006, SEC007, SEC008, SEC016 | CWE-798, CWE-327, CWE-330, CWE-208 | | A03 Injection | SEC001, SEC002, SEC003, SEC004, SEC009, SEC011, SEC018, SEC019 | CWE-95, CWE-79, CWE-89, CWE-78, CWE-1321 | | A04 Insecure Design | SEC015 | CWE-209 | | A05 Security Misconfiguration | SEC017 | CWE-611 | | A06 Vulnerable Components | RUST001, RUST002 | CWE-908, CWE-477 | | A08 Software and Data Integrity | SEC012 | CWE-502 | | A10 SSRF | SEC010 | CWE-918 |

Control Flow Graph Analysis

Detects unreachable code, infinite loops, and dead branches through AST-based control flow graph construction.

Clone Detection

Multi-language code clone detection with AST normalization. Finds duplicated logic across your codebase.

thuban clones src/

AI-Generated Code Scoring

Scores files for likelihood of AI generation based on structural patterns, naming conventions, and code smells common in LLM output.

thuban aiscore src/

Dependency Analysis

Maps dependency graphs, detects circular imports, and identifies unused or phantom dependencies.

thuban deps .

Mutation Testing (Crucible)

Built-in mutation testing engine. 515 seed files generate 1,030 mutations. Validates that your test suite catches real bugs.

thuban crucible --mode kenny    # standard mode
thuban crucible --mode hell     # maximum mutation density

Ghost Code Detection

Finds dead exports, unused functions, and unreachable modules.

thuban ghosts src/

Auto-Fix

Automatically applies safe fixes for supported rule violations.

thuban fix src/

HTML Dashboard

Generates a visual HTML report with charts, trends, and drill-down by category.

thuban dashboard .

Executive Reports

PDF-ready executive summary with risk scores, trend data, and remediation priorities.

thuban executive .
thuban pdf .

Baseline Scanning

Establish a baseline and track only new issues introduced after that point.

thuban baseline .          # save current state
thuban scan . --baseline   # report only new issues
thuban compare .           # compare current scan to baseline

Pre-Commit Gate

Block commits that introduce issues above a configurable threshold.

thuban gate .

Inline Suppression

Suppress specific rules on a per-line basis:

const query = "SELECT * FROM " + input; // thuban-ignore SEC001
password = "admin123"  # thuban-ignore SEC005

Suppress all rules on a line:

eval(code); // thuban-ignore

Supported Languages

| Language | Extension(s) | AST Engine | |------------|----------------------|----------------| | JavaScript | .js, .mjs, .cjs| Babel | | TypeScript | .ts | Babel | | JSX | .jsx | Babel | | TSX | .tsx | Babel | | Python | .py | Python ast | | Go | .go | go/parser | | Rust | .rs | Pattern-based | | Ruby | .rb | Pattern-based | | Java | .java | Pattern-based | | C# | .cs | Pattern-based | | Kotlin | .kt | Pattern-based | | PHP | .php | Pattern-based |

Three AST engines provide deep analysis: Babel for JavaScript/TypeScript/JSX/TSX, Python ast for Python, and Go go/parser for Go. Remaining languages use pattern-based detection.


Detection Rules

69 rules organized by category:

| Category | Rule IDs | Description | |-------------|-----------------------|--------------------------------------------------| | Security | SEC001--SEC019 | SQL injection, XSS, hardcoded secrets, eval, command injection, path traversal, insecure crypto, SSRF, prototype pollution, and more | | Security | RUST001--RUST002 | Rust-specific unsafe patterns | | Quality | QUAL001--QUAL004 | Code quality, naming, structure | | Performance | PERF001 | Performance anti-patterns | | AST | AST001--AST005 | Phantom imports, deprecated APIs, unused variables, hallucinated APIs, empty catch blocks | | AST | AST011--AST014 | Advanced AST patterns | | Taint | TAINT001--TAINT002 | Cross-file taint tracking for SQLi and XSS | | CFG | CFG001--CFG005 | Unreachable code, infinite loops, dead branches | | Nesting | NEST001 | Excessive nesting depth | | Complexity | CMPLX001--CMPLX002 | Cyclomatic and cognitive complexity |


CLI Commands

28 commands grouped by function:

Core Scanning

| Command | Description | |---------------|--------------------------------------------------| | scan [path] | Scan a codebase for issues | | diff [path] | Scan only git-changed files | | deps [path] | Map dependencies and detect circular imports | | health [path]| Run health check on codebase | | report [path]| Full scan + deps + drift combined report |

Detection

| Command | Description | |----------------------|--------------------------------------------| | hallucinate [path] | Detect AI hallucinations and phantom imports| | ghosts [path] | Detect dead code and unused exports | | aiscore [path] | Score files for AI-generated code patterns | | clones [path] | Detect code clones across the codebase | | drift [path] | Detect drift from Mother Code annotations | | debt [path] | Analyze technical debt | | cost [path] | Calculate technical debt cost |

Remediation

| Command | Description | |---------------|--------------------------------------------------| | fix [path] | Auto-fix supported rule violations | | inject [path]| Inject Mother Code DNA widget into files | | gate [path] | Pre-commit quality gate |

Reporting

| Command | Description | |--------------------|-----------------------------------------------| | dashboard [path] | Generate visual HTML dashboard | | executive [path] | Generate executive summary report | | pdf [path] | Generate PDF-ready report | | passport [path] | Generate codebase passport |

Monitoring

| Command | Description | |------------------|-------------------------------------------------| | watch [path] | Live sentinel -- continuous file monitoring | | monitor [path] | Recurring scans with history and alerts | | history [path] | View recurring scan history | | trend [path] | Show issue trends across scans |

Baseline and Comparison

| Command | Description | |------------------|-------------------------------------------------| | baseline [path]| Save current scan state as baseline | | compare [path] | Compare current scan against baseline |

Licensing

| Command | Description | |------------|------------------------------------------------------| | activate | Activate a license key | | status | Show current license status | | upgrade | Upgrade license tier |

Mutation Testing

| Command | Description | |------------|------------------------------------------------------| | crucible | Run the Crucible mutation testing engine |


Configuration

.thubanrc.json

Place a .thubanrc.json in your project root to configure scan behavior:

{
  "$schema": "https://thuban.dev/schema/thubanrc.json",
  "minScore": 0,
  "ignore": [
    "node_modules",
    "dist",
    ".git",
    "coverage"
  ],
  "hallucination": {
    "enabled": true,
    "ignore": []
  },
  "motherCode": {
    "enabled": true,
    "autoInject": false
  },
  "report": {
    "format": "html",
    "outputDir": "."
  },
  "ci": {
    "failOnGrade": "F",
    "postComment": true
  }
}

.thubanignore

Exclude files and directories from scanning, one glob pattern per line:

packages/crucible/seeds/**
tests/regression/fixtures/**
vendor/**

JSON Output

All scan commands support --json for machine-readable output:

thuban scan src/ --json
{
  "version": "0.4.5",
  "timestamp": "2026-07-04T12:00:00.000Z",
  "files": 42,
  "issues": [
    {
      "file": "src/api/handler.js",
      "line": 17,
      "rule": "SEC001",
      "severity": "critical",
      "category": "security",
      "message": "Potential SQL injection: unsanitized input in query string",
      "fix": "Use parameterized queries instead of string concatenation"
    }
  ],
  "summary": {
    "critical": 1,
    "warning": 3,
    "info": 5,
    "score": 72,
    "grade": "C"
  }
}

Performance

| Metric | Value | |----------------|--------------------| | Throughput | ~23,000 lines/sec | | Test suite | 746 tests | | Code coverage | 91.2% | | Dependencies | 1 (@babel/parser) |


Tiers

| Tier | Limit | Features | |------------|-----------|---------------------------------------------------| | Free | 100 files | Core scanning, all 69 rules, JSON output | | Pro | Unlimited | Recurring scans, history, trends, notifications | | Team | Unlimited | Dashboard, executive reports, baseline management | | Enterprise | Unlimited | Custom rules, priority support, SSO |

Activate a license:

thuban activate <license-key>
thuban status

CI Integration

GitHub Actions

- name: Thuban Scan
  run: npx thuban scan . --json --baseline
  env:
    THUBAN_LICENSE: ${{ secrets.THUBAN_LICENSE }}

Pre-Commit Hook

thuban gate . --fail-on critical

Requirements

  • Node.js >= 16.0.0

Contributing

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/my-feature)
  3. Run the test suite (npm test)
  4. Submit a pull request

Issues and feature requests: github.com/SilverwingsBenefitsGit/thuban/issues


License

MIT


thuban.dev