npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

xairas-cve

v0.1.1

Published

CLI tool to monitor CVE reports for your tech stack, categorized by ecosystem and version, with Telegram notifications.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

amirzvniamirzvni

Keywords

cvevulnerabilitysecuritymonitortelegramnvdosvcli

Readme

xairas-cve

CLI tool to monitor CVE vulnerabilities for your specific tech stack and get notified via Telegram when new ones drop.

Unlike generic CVE feeds that blast every vulnerability, xairas-cve only alerts you about CVEs that affect the exact technologies and versions you're running.

Features

  • Version-aware matching — only CVEs affecting your specific versions
  • Multi-ecosystem support — npm, PyPI, Go, Maven, Ubuntu, Debian packages via OSV.dev
  • Hardware & infrastructure — MikroTik, Fortinet, Cisco, HPE, etc. via NVD with automatic CPE discovery
  • Custom categories — define your own categories mapped to any ecosystem
  • Telegram notifications — with forum topic support and custom API URL (for regions where Telegram is restricted)
  • Deduplication — never get the same CVE twice (SQLite state tracking)
  • One-shot scan — audit your stack on demand
  • Continuous monitor — long-running mode with configurable interval

Install

npm install -g xairas-cve

Quick Start

# 1. Configure Telegram
xairas-cve config set --bot-token <YOUR_BOT_TOKEN> --chat-id <YOUR_CHAT_ID>

# Optional: set topic thread ID for forum groups
xairas-cve config set --thread-id <THREAD_ID>

# Optional: custom Telegram API URL (for restricted regions)
xairas-cve config set --api-url https://your-telegram-proxy.com

# 2. Add your technologies
xairas-cve stack add --name express --version 4.18.2 --category npm
xairas-cve stack add --name openssl --version 3.0.13 --category ubuntu-pkg
xairas-cve stack add --name routeros --version 7.14 --category hardware
xairas-cve stack add --name django --version 4.2.0 --category pypi

# 3. Run a one-time scan
xairas-cve scan

# 4. Start continuous monitoring
xairas-cve monitor

Categories

Built-in categories auto-map to the right data source:

| Category | Data Source | Examples | |---|---|---| | npm | OSV.dev | express, fastify, axios | | pypi | OSV.dev | django, flask, requests | | go | OSV.dev | golang.org/x/crypto | | maven | OSV.dev | log4j, spring-boot | | ubuntu-pkg | OSV.dev | openssl, curl | | debian-pkg | OSV.dev | openssl, nginx | | infrastructure | NVD | nginx, postgresql, rabbitmq | | hardware | NVD | mikrotik, fortinet, hpe |

Custom categories are supported with --ecosystem:

# Map to an OSV ecosystem
xairas-cve stack add --name my-pkg --version 1.0 --category my-custom --ecosystem PyPI

# Map to NVD
xairas-cve stack add --name my-appliance --version 2.0 --category my-custom --ecosystem nvd

Commands

xairas-cve config set [options]

| Option | Description | |---|---| | --bot-token <token> | Telegram bot token | | --chat-id <id> | Telegram chat ID | | --thread-id <id> | Telegram topic/thread ID | | --api-url <url> | Telegram API URL (default: https://api.telegram.org) | | --nvd-api-key <key> | NVD API key (optional, increases rate limit) | | --scan-interval <interval> | Scan interval: 30m, 6h, 1d | | --min-cvss <score> | Minimum CVSS score to notify (0-10) |

xairas-cve config show

Display current configuration (tokens are masked).

xairas-cve stack add [options]

| Option | Description | |---|---| | --name <name> | Technology name | | --version <version> | Version you are running | | --category <category> | Category (see table above) | | --ecosystem <ecosystem> | OSV ecosystem or nvd (for custom categories) | | --cpe <vendor:product> | Skip CPE discovery, use exact CPE |

xairas-cve stack list

List all monitored technologies grouped by category.

xairas-cve stack remove --name <name>

xairas-cve stack update --name <name> --version <version>

xairas-cve scan

One-shot scan. Checks all technologies, reports vulnerabilities, sends Telegram alerts for new ones.

xairas-cve monitor [--interval <interval>]

Continuous monitoring. Runs scan at the configured interval and sends Telegram alerts for new CVEs only.

xairas-cve history scans

xairas-cve history cves

Data Sources

  • OSV.dev — free, no API key required. Covers npm, PyPI, Go, Maven, Ubuntu, Debian, and many more.
  • NVD — free, optional API key for higher rate limits. Covers hardware, vendor software, and anything with a CPE.

Running as a Service

# Using PM2
pm2 start "xairas-cve monitor" --name xairas-cve

# Using systemd (create /etc/systemd/system/xairas-cve.service)
# ExecStart=/usr/bin/xairas-cve monitor
# Restart=always

Data Storage

All data is stored locally in ~/.xairas-cve/:

  • config.json — configuration and tech stack
  • data.db — SQLite database for deduplication and scan history

License

MIT

Author

Amir Rezvani[email protected]