npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vibe-security-akoris

v2.0.1

Published

Algorithmic AST and Shannon entropy secret detector

Readme

VibeGuard

VibeGuard is a beta JavaScript/TypeScript secret scanner. It flags likely secrets by combining:

  • AST context: the value is assigned to a sensitive-looking name such as apiKey, token, secret, password, or auth.
  • Shannon entropy: the value is random-looking enough to pass the configured threshold.

This keeps simple placeholders like password = "test" and apiKey = "your-api-key" out of the results.

Install

npm install

Or run it from another project:

npx vibe-security-akoris scan

Usage

Scan the current project:

npm run scan

Scan without changing files:

npx vibe-security-akoris scan

Preview fixes without writing anything:

npx vibe-security-akoris scan --dry-run

Replace detected literals with process.env.NAME and write values to .env:

npx vibe-security-akoris scan --fix

Run non-interactively:

npx vibe-security-akoris scan --fix --yes

Scan a specific path:

npx vibe-security-akoris scan --path src

Use in CI or pre-commit hooks:

npx vibe-security-akoris scan --ci

Safety Defaults

  • Default mode is scan-only. Files are changed only with --fix.
  • --dry-run shows the source, .env, and .gitignore changes before editing.
  • Full secrets are never printed; output uses masked values like sk-****abcd.
  • Existing .env values are not overwritten. If a name already exists with a different value, VibeGuard creates a suffixed name and prints a warning.
  • .gitignore gets .env only when it is missing.
  • Common generated paths are ignored by default, including .git, node_modules, dist, build, coverage, and lock files.

Output

Findings include file path, line, column, identifier, confidence, and reason:

src/app.js:12:21 apiKey confidence=medium sensitive identifier "apiKey" has entropy 4.73 above threshold 4.00

Exit codes:

0 = no secrets found
1 = secrets found
2 = scanner/config/parse error

Config

Create .vibeguardrc in your project root:

{
  "entropyThreshold": 4.5,
  "ignoredPaths": ["fixtures/**", "vendor/**"],
  "maxFileSizeBytes": 2097152
}

You can also add .vibeguardignore with simple glob patterns.

Pre-commit Protection

Install the Git hook:

npx --package vibe-security-akoris vibe-security-akoris-protect

Install without prompts:

npx --package vibe-security-akoris vibe-security-akoris-protect --yes

The hook scans staged JS/TS files and blocks the commit when validated secret candidates are found.

Supported Files

VibeGuard scans .js, .jsx, .mjs, .cjs, .ts, and .tsx.

Limitations

  • JavaScript and TypeScript only.
  • Beta scanner: it may miss secrets and may still report false positives.
  • It checks string literals in supported AST contexts, not every possible way a secret can appear.
  • It intentionally avoids vendor-specific API-key regex databases.

Feedback

Issues and feedback: https://github.com/akroshub/Vibeguard/issues