npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

what-new-pkg

v0.3.0

Published

Compare npm, pnpm, or Yarn Classic lockfiles against git HEAD and report newly introduced dependencies with introducer attribution.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mayukhroymayukhroy

Keywords

securitysupply-chainnpmauditlockfilepackagesintegritycompareyarn

Readme

what-new-pkg

See whether any unwanted or suspicious new packages slipped into your project unnoticed after an install—and who introduced them—with a terminal summary and an HTML report.

Open-source CLI for npm, pnpm, and Yarn Classic (yarn.lock): it diffs the current lockfile against the same file at git HEAD and lists each new resolved package with its immediate dependent (or workspace root when hoisted).

npm version CI License: MIT

Releases are published with npm provenance (build-linked attestations on npm).

See what you get

Terminal — highlights when new packages show up:

Terminal: new packages highlighted

HTML report (default: .what-new-pkg/what-new-pkg.html) — introduced vs HEAD with Introduced by; removals with Previously under:

HTML report: introduced and removed packages

  • New transitive additions can trigger a warning-styled line with a bold count; removals alone do not trigger that line.

Why?

  • Transitive supply chain: Compromised or unwanted code often arrives through dependencies of dependencies—and can reach production builds and runtime. You need to know what landed in the lockfile and which parent pulled it in.
  • This tool surfaces that by diffing your lockfile to git show HEAD:<lockfile>.

Install

npm install --save-dev what-new-pkg

Yarn Classic (yarn.lock): install the optional peer so the parser is available (npm 7+ often installs optional peers automatically; otherwise add it explicitly):

npm install --save-dev @yarnpkg/lockfile

Yarn Berry (v2+) lockfiles are not supported.

Optional: add a postinstall hook (or run npx what-new-pkg setup):

{
  "scripts": {
    "postinstall": "what-new-pkg generate"
  }
}

Usage

Typical (auto-detects pnpm-lock.yaml, else yarn.lock, else package-lock.json):

what-new-pkg generate

More options

# Lockfile path (relative to project root)
what-new-pkg generate --lock-file package-lock.json

# Output directory (default: .what-new-pkg)
what-new-pkg generate --output-dir .what-new-pkg

# Sample HTML (dummy diff; no git or real lockfile required)
what-new-pkg demo

From this repository’s root, npm run generate builds and runs what-new-pkg generate (same as npx what-new-pkg generate after a build). Pass CLI flags after --, for example:

npm run generate -- --lock-file test-packages/package-lock.json

npm run demo builds and writes .what-new-pkg/what-new-pkg.html using bundled sample data for a quick browser preview.

How comparison works

  • The baseline is the committed lockfile at HEAD for the same path. Commit your lockfile so diffs mean something. If it is missing from HEAD or the project is not a git repo, the report explains that and shows no “introduced” rows (no crash). Large lockfiles (multi‑MB monorepos) are supported when reading that baseline from git.
  • Monorepos: run once per package root that owns a lockfile (e.g. workspace root with one pnpm-lock.yaml, yarn.lock, or package-lock.json).

Configuration

Optional "what-new-pkg" section in package.json:

{
  "what-new-pkg": {
    "outputDir": ".what-new-pkg"
  }
}

Lock file support

| Format | Status | | ---------------------------- | ---------------------------------------------------------------------- | | package-lock.json v1/v2/v3 | Supported | | pnpm-lock.yaml | Supported | | yarn.lock (Yarn Classic v1) | Supported — requires optional peer @yarnpkg/lockfile (see Install) | | yarn.lock (Yarn Berry v2+) | Not supported |

Security

This package is published with npm provenance (npm publish --provenance), linking each release to its GitHub Actions build. Verify versions on npm.

To report a vulnerability in what-new-pkg itself, see SECURITY.md.

Contributing

Contributions are welcome! See CONTRIBUTING.md.

The test-packages/ directory holds generated large mock lockfiles (pnpm-lock.yaml, package-lock.json, yarn.lock) for stress testing or local experiments.

Regenerate from scratch (each file is rebuilt; must stay above 5000 lines):

npm run generate:test-packages

Simulate a small dependency change (removes the lowest-index mock-dep-*, adds two new mock-dep-* after the current max—run per format or all):

npm run mutate:test-packages:pnpm
npm run mutate:test-packages:npm
npm run mutate:test-packages:yarn
npm run mutate:test-packages

Releasing

Maintainers: automated npm and GitHub Releases from git tags — see RELEASING.md.

License

MIT