npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vallm-analyzer

v1.1.0

Published

Use LLM to quickly diagnose vulnerabilities within your project's code.

Downloads

2

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tafka4tafka4

Keywords

Readme

VulnerabilityAnalyzer (vallm)

Use LLMs such as OpenAI, Anthropic Claude, and Google Gemini to quickly diagnose vulnerabilities within your project's code.

Default usage [English]

You can download vallm with the command below.

npm i -g vallm-analyzer

This is a CLI tool that uses the LLM to scan your project for vulnerabilities.

$ vallm .

The above command analyzes all code files in the project at the current location for potential risks. When analyzing files, it also considers files with dependencies.

Before using it, register an API key for the provider you want to use. The CLI accepts the provider name followed by the key; omitting the provider assumes OpenAI.

$ vallm --ai openai YOUR_OPENAI_KEY
$ vallm --ai anthropic YOUR_ANTHROPIC_KEY
$ vallm --ai gemini YOUR_GEMINI_KEY

Note: We do not currently support some files, such as images and binary files. Please check before running a scan.

Options

The following options are available

  • h, --help

    Provide help and explanations.

    $ vallm -h

  • -V, --version

    Check the version of vallm.

    $ vallm -V

  • -a, --ai

    Register an API key. Provide one argument for OpenAI, or two arguments (provider key) for other providers.

    $ vallm -a sk-openai...
$ vallm -a anthropic sk-antropic...

  • -s --search Register your Google Search API Key and CX.

    $ vallm -s your_api_key your_cx

  • -p, --provider

    Select the active provider (openai, anthropic, or gemini). The model automatically switches to a sensible default if the current choice is incompatible.

  • -m, --model

    Determine the LLM model to use. The default value is gpt-4o. You can also set the provider inline with provider:model.

    $ vallm -m gpt-4o
$ vallm -m anthropic:claude-3-5-sonnet-20241022

  • -r, --reasoning-effort When using a reasoning model, set the reasoning ability of that model. You must enter one of low, medium, or high. The default value is medium.

    $ vallm -r low

  • -l, --limit

    Maximum number of files to diagnose when diagnosing vulnerabilities. The default is 64.

    $ vallm -l 128

  • -c, --check

    Whether to save inline annotated snippets for vulnerable code. You can enter y or n. The default is n. When enabled, the annotated snippets are written to vallm-reports/<relative-path>.notes.txt instead of modifying your source files.

    $ vallm -c y

  • -k, --skip-cve-search

    Whether to skip CVE scanning. You can enter y or n. The default is y.

    $ vallm -k y

  • -i, --info Retrieve the values set in vallm.

    $ vallm --info

CVE Intelligence Sources

vallm gathers vulnerability intelligence from multiple sources:

  • Google Custom Search (requires both API key and CX). The tool asks an LLM to craft precise queries, fetches the most relevant results, and summarises them.
  • npm audit advisories. When a package.json is present, vallm automatically runs npm audit --json to capture advisories. This runs alongside Google search when credentials are available, and acts as a fallback when they are not.

Example Usage

  • When search is turned off

    It will analyze the project and notify you of any issues it finds, as shown below.

    PS C:\Users\user\prob> vallm .
🔍 Scanning Project: C:\Users\shkh0\prob
✔ ✅ Found 17 target files.
✔ ✅ Found 0 package files.
⠋ Analyzing project files...   🔍 Attempting OpenAI call (1/3)...
⠇ Analyzing (1/17): eval.php...  ✅ eval.php analysis complete.
🔍 Attempting OpenAI call (1/3)...
⠙ Analyzing (2/17): phpinfo.php...  ✅ phpinfo.php analysis complete.
🔍 Attempting OpenAI call (1/3)...
...
⠋ Analyzing (17/17): index.php...  ✅ index.php analysis complete.
✔ ✅ All files analyzed.

🚀 Scanning Completed!

🔹 Summary of Findings:

📂 C:\Users\user\prob\eval.php

🔎 Findings:

- Lines 3-5: The use of JavaScript eval() with untrusted data (code) without any sanitization or validation may lead to Remote Code Execution (RCE).
...

    If annotations are enabled, the model writes only the relevant snippets and comments to vallm-reports/eval.php.notes.txt, keeping your source file untouched.

  • When search is turned on

    It will analyze the versions of external modules, libraries in the detected package files and search for known vulnerabilities with Google search. At the end, it will output a brief report based on the vulnerabilities found.

    PS C:\Users\user\prob> vallm .
...
⠋ Analyzing CVEs...
Searching for [email protected] vulnerability
...
🔹 Summary of Findings:
...

🛑 CVE Report:
...

Local Build & Test run

Requires tsc.

$ npm run build
$ node bin/index.js

For Korean documentation, see readmeKr.md.