npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

veripatch

v0.3.1

Published

Verified remediation for npm vulnerabilities: sandbox-apply fixes, prove elimination, prove safety, emit evidence reports.

Readme

VeriPatch

Verified remediation for npm vulnerabilities — don't just detect, prove the fix is safe.

CI npm version npm downloads License: Apache-2.0

veripatch scan: project summary, ranked vulnerability table, verification detail, and a final recommendation, all against a real axios vulnerability

Detection of vulnerable npm dependencies is commoditized (npm audit, Dependabot, Snyk). Verified remediation is not. Engineers don't apply fixes because of alert fatigue, fear of breakage, and lack of evidence. VeriPatch closes the gap:

  1. Scan — rank vulnerabilities by severity × fix feasibility (via OSV.dev).
  2. Verify — apply the fix in a hardened Docker sandbox, re-scan to prove the vulnerability left the resolved tree, run your build and tests to prove nothing breaks.
  3. Report — emit audit-grade evidence reports (Markdown + JSON) with deterministic confidence verdicts.

| | npm audit | Dependabot | Snyk | VeriPatch | | --------------------------------------------------- | :---------: | :--------: | :--: | :-------: | | Detects known vulnerabilities | ✅ | ✅ | ✅ | ✅ | | Ranks by severity | ✅ | ✅ | ✅ | ✅ | | Opens a fix PR | ❌ | ✅ | ✅ | ❌ (yet) | | Actually runs the fix in isolation | ❌ | ❌ | ❌ | ✅ | | Independently re-scans to prove the CVE is gone | ❌ | ❌ | ❌ | ✅ | | Runs your real build/test before you merge | ❌ | ❌ | ❌ | ✅ | | Verdict from exit codes only, never heuristics | n/a | n/a | n/a | ✅ | | Free, self-hosted, no account | ✅ | ✅ | ❌ | ✅ |

Quickstart

npm install -g veripatch

veripatch doctor              # diagnose environment (Node, Docker, lockfile, network)
veripatch scan                # ranked vulnerability table in <15s
veripatch verify GHSA-...     # sandboxed proof a fix is safe
veripatch update GHSA-...     # apply a verified fix to your working tree
veripatch report GHSA-...     # re-render evidence without re-running anything

scan and report work everywhere; verify requires a reachable Docker daemon.

scan understands package-lock.json (v2/v3), yarn.lock (classic and berry), and pnpm-lock.yaml (v6/v9), auto-detected. verify/update currently replay fixes with npm, so they refuse yarn/pnpm projects explicitly rather than corrupting them.

As a GitHub Action

- uses: actions/checkout@v4
- uses: amarjaleelbanbhan/[email protected]
  with:
    severity-threshold: high
    fail-on: new

See examples/workflow.yml for the full example (triggers, permissions, baseline mode) and action.yml for every input.

How it works

scan  → parse lockfile → OSV advisories → rule engine → ranked, fix-resolved report
verify → stage a copy → apply the bump → install (sandboxed, scripts off)
       → re-scan the copy to prove the vuln is gone → build/test (network off)
       → deterministic verdict from exit codes + the re-scan alone

See docs/ARCHITECTURE.md for the full data flow and layering.

Design principles

  • Verification-first — confidence verdicts derive only from exit codes and VeriPatch's own re-scan, never from log-text heuristics (see docs/ARCHITECTURE.md).
  • Security-first — untrusted project code only ever executes inside a hardened, network-restricted container. Zero telemetry. No secrets required. See docs/SECURITY.md.
  • CI-native — machine-readable report.json (docs/API.md), deterministic exit codes, baseline mode so pre-existing debt doesn't fail builds.

Documentation

| | | | ---------------------------------------------- | -------------------------------------------------------------------- | | docs/CLI.md | Full command reference, flags, exit codes | | docs/CONFIGURATION.md | .veripatchrc reference and precedence | | docs/ARCHITECTURE.md | Layering, data flow, confidence rules | | docs/API.md | report.json schema, ports, OSV usage | | docs/SECURITY.md | Threat model, sandbox guarantees, disclosure policy | | docs/CONTRIBUTING.md | Setup, layering rules, fixture-adding guide | | docs/ROADMAP.md | What's shipped, what's next | | docs/adr/ | Why OSV over NVD, SQLite over Postgres, Docker over subprocess, etc. |

Status

All MVP milestones (scan, verify, report/update/doctor/cache, GitHub Action) are implemented and tested. Pre-1.0: the CLI contract and report.json schema are considered stable but not yet field-proven — see docs/ROADMAP.md for what's tracked toward v1.0.

Contributing

See docs/CONTRIBUTING.md. Issues and discussion are welcome.

License

Apache-2.0