npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

unfcked

v0.2.1

Published

Fix the last 20% of your vibe-coded project. Find every issue AI coding tools missed.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

peaktwilightpeaktwilight

Keywords

unfucklintvibe-codingsecurityseostatic-analysiscli

Readme

unfuck

npm License: MIT TypeScript Checks: 45+

unfcked.doruk.ch · npm

Your vibe-coded app has problems. This finds all of them.

Published as unfcked on npm (because npm doesn't allow the full word 🙄)

AI coding tools get you 80% of the way there. This tool finds every issue in the last 20% -- the part that actually breaks in production, tanks your SEO, and leaks your API keys.

No AI. No API keys. 45+ checks. Pure static analysis. Runs in seconds.

Quick Start

# Scan current directory
npx unfcked

# Scan a specific project
npx unfcked /path/to/your/project

Development

git clone https://github.com/peaktwilight/unfcked
cd unfuck
npm install
npm run build
node dist/cli.js /path/to/your/project

What It Checks

:red_circle: Critical -- fix these NOW

  • Hardcoded API keys, secrets, passwords, and tokens in source code
  • .env files not in .gitignore (your secrets will get committed)
  • eval() usage
  • innerHTML / dangerouslySetInnerHTML (XSS vulnerabilities)
  • SQL injection patterns (string concatenation in queries)
  • Non-HTTPS URLs
  • Known key formats: OpenAI (sk-), GitHub (ghp_), AWS (AKIA)
  • Exposed .git directory in public/dist folders
  • Weak crypto (Math.random() in security contexts -- use crypto.randomUUID())

:orange_circle: High -- fix before deploying

  • Missing <title> tag, meta description, Open Graph tags
  • Missing favicon, robots.txt, sitemap.xml
  • Missing charset declaration (<meta charset="utf-8">)
  • No error boundary (React/Next.js -- crashes show a blank white screen)
  • No loading states (users stare at nothing while data fetches)
  • No 404/error page
  • No tests (deploying without a safety net)
  • Missing .gitignore or node_modules not gitignored
  • No build script in package.json
  • process.env usage without fallback values
  • Images missing alt attributes
  • Exposed source maps in output directories (leaks your source code)
  • Hardcoded localhost / 127.0.0.1 URLs (will break in production)

:yellow_circle: Medium -- should fix soon

  • Dev dependencies in the wrong section (typescript in dependencies, etc.)
  • Unused dependencies sitting in package.json
  • Missing or stale lockfile
  • Files over 300 lines
  • Silent catch blocks (errors swallowed with no handling)
  • Deeply nested code (4+ levels -- callback hell)
  • TypeScript strict mode not enabled
  • Missing canonical URL (duplicate content issues)
  • Missing lang attribute on <html>
  • No CI/CD configuration
  • No README
  • Bundle size check (>30 production dependencies)
  • No start or dev script in package.json

:blue_circle: Low -- nice to have

  • console.log statements left in code
  • TODO/FIXME/HACK comments
  • any type usage in TypeScript
  • Duplicate file names across directories
  • Empty or near-empty files

Watch Mode

# Live score updates as you fix issues
npx unfcked --watch /path/to/project

Re-scans automatically when files change. Fix an issue, see your score go up in real time.

Scoring

Starts at 100. Every issue deducts points:

| Severity | Penalty | |----------|---------| | Critical | -20 | | High | -10 | | Medium | -5 | | Low | -2 |

Verdicts

| Score | Verdict | |-------|---------| | 90-100 | CERTIFIED CLEAN | | 70-89 | MOSTLY GOOD | | 50-69 | NEEDS WORK | | 30-49 | PRETTY ROUGH | | 0-29 | DUMPSTER FIRE |

Auto-Fix

npx unfcked /path/to/your/project --fix

Automatically fixes safe issues:

  • Creates .gitignore with sensible defaults if missing
  • Adds .env and node_modules/ to .gitignore
  • Moves dev dependencies (typescript, eslint, jest, @types/*, etc.) to devDependencies
  • Shows before/after score so you can feel good about yourself

Won't touch anything risky. Won't delete your console.logs (you might need those, who knows).

README Badge

npx unfcked /path/to/your/project --badge

Get a shields.io badge for your README:

unfcked score

Paste the markdown into your README. Re-run after fixing issues to update your score.

Flags

| Flag | What it does | |------|-------------| | --fix | Auto-fix safe issues, show before/after score | | --diff | Only check files changed since the last commit (staged + unstaged + untracked) | | --watch | Re-scan on file changes, live score updates | | --badge | Generate a shields.io badge for your README | | --json | Machine-readable JSON output | | --compare <dir1> <dir2> | Compare two projects' scores side by side | | --init | Generate a default .unfckedrc.json config file | | --help / -h | Show help message |

CI / GitHub Action

Score every pull request automatically. The action posts (and updates) a comment with the unfuck score, issue breakdown, and top problems.

Built-in workflow

The repo includes a ready-made workflow at .github/workflows/unfuck.yml that triggers on every PR. No configuration needed -- just push and it works.

Composite action

Use peaktwilight/unfcked as a reusable action in your own workflows:

name: unfuck

on:
  pull_request:
    types: [opened, synchronize]

permissions:
  contents: read
  pull-requests: write

jobs:
  score:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: peaktwilight/unfcked@main
        with:
          path: "."        # directory to scan (default: ".")
          threshold: 50    # fail the check if score is below this (default: 50)

Inputs:

| Input | Default | Description | |-------|---------|-------------| | path | . | Directory to scan | | threshold | 50 | Minimum passing score. The action fails if the score is below this. |

The action posts a PR comment with:

  • Score badge (color-coded)
  • Verdict (e.g. CERTIFIED CLEAN, NEEDS WORK, DUMPSTER FIRE)
  • Issue counts grouped by severity
  • Top 5 critical/high issues with file paths

Comments are upserted -- pushing new commits updates the existing comment instead of creating duplicates.

Development

git clone https://github.com/peaktwilight/unfcked
cd unfuck
npm install
npm run build
node dist/cli.js /path/to/your/project

Framework Support

Auto-detects your stack and adjusts checks accordingly:

  • Next.js -- React checks + SEO + production readiness
  • React -- Error boundaries, loading states, JSX meta tags
  • Vue / Nuxt -- Component scanning, SEO checks
  • Svelte -- Component scanning, SEO checks
  • Node.js -- Dependencies, security, production checks
  • Plain HTML -- SEO, meta tags, accessibility

Requirements

  • Node.js 18+

That's it. No config files. No plugins. No twelve-step setup process.

Why

You shipped a project with an AI coding tool. It works on your machine. But:

  • There's an API key hardcoded on line 42
  • There's no favicon
  • The meta tags are missing so your links look broken on Twitter
  • typescript is in dependencies instead of devDependencies
  • There's no error boundary so one bad API response nukes the whole page
  • There are 47 console.log statements

You won't find all of this by eyeballing it. This tool does.

Full disclosure

This tool was 100% vibe-coded. We ran unfcked on itself. The circle of vibe is complete.

License

MIT