npm
safely install npm packages by auditing them pre-install stage. npq allows you to audit npm packages before you install them.
Related contents:
Wraps your package manager, preventing installation of malicious packages.
Related contents:
📈⚖️ Visuallize your bundle
Visualize and analyze your Rollup bundle to see which modules are taking up space.
Related contents:
Comprehensive detection tool for NPM supply chain attacks, specifically designed to identify and prevent the Shai-Hulud worm that compromised 500+ packages including CrowdStrike npm packages in 2025.
Related contents:
How to stay safe from NPM supply chain attacks.
The NPM ecosystem is no stranger to compromises, supply-chain attacks, malware, spam, phishing, incidents, or even trolls. In this repository, I have consolidated a list of information you might find useful in securing yourself against these incidents.
🔍 cli utility for querying the node_modules directory.
I often need to quickly check the versions of the modules installed in the node_modules directory. Current solutions like running npm list are slow and produce a lot of irrelevant output. Checking the version in the package.json file of the specific module requires more effort and doesn’t provide information about other instances of the same module.
qnm is a tool that solves this problem by providing fast and focused information about the installed modules. It supports both npm and yarn and allows you to quickly identify the versions of the modules you are interested in.
A tool for preventing the installation of malicious PyPI and npm packages 🔥.
Supply-Chain Firewall is a command-line tool for preventing the installation of malicious PyPI and npm packages. It is intended primarily for use by engineers to protect their development workstations from compromise in a supply-chain attack.
Related contents:
🐍 🔍 GuardDog is a CLI tool to Identify malicious PyPI and npm packages.
GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages or Go modules. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata. GuardDog can be used to scan local or remote PyPI and npm packages or Go modules using any of the available heuristics.
Related contents:
Publish packages as git tags.
- 🔧 Works with projects with build steps.
- 👯 Works with projects with multiple packages (monorepos).
- 🏎 Lightweight git tags (only the files needed are included).
Search for a package to see its download stats over time.
Visualize npm downloads in a beautiful chart, ready to be shared with your community.
Stop wrestling with code dependencies. Use Codependence! 🤼♀️
Codependence is a JavaScript utility for checking dependencies to ensure they're up-to-date or match a specified version.
Wireit upgrades your npm/pnpm/yarn scripts to make them smarter and more efficient.
Continuous (Preview) Releases for your libraries!
With pkg.pr.new, each of your commits and pull requests will trigger an instant preview release without publishing anything to NPM. This enables users to access features and bug-fixes without the need to wait for release cycles using npm or pull request merges.
An updating monorepo full of self-hostable Open Source fonts bundled into individual NPM packages!.
The open-source package registry for modern JavaScript and TypeScript.
JSR is designed for TypeScript. You publish TypeScript source, and JSR handles generating API docs, .d.ts files, and transpiling your code for cross-runtime compatibility.
JSR packages are distributed as web-standard ECMAScript modules.
a package manager for the web.
Bower offers a generic, unopinionated solution to the problem of front-end package management, while exposing the package dependency model via an API that can be consumed by a more opinionated build stack. There are no system wide dependencies, no dependencies are shared between different apps, and the dependency tree is flat.
NPM Dependency Diagrams. A tool for exploring NPM modules and dependencies.
Related contents:
Check NPM packages for manifest confusion.
A python script to check npm packages for manifest mismatches.
Secure your supply chain. Ship with confidence. Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript and Python dependencies.
Related contents:
search millions of open source JavaScript packages. Load optimized npm packages with no install and no build tools.
Bun is a fast all-in-one JavaScript runtime Bundle, transpile, install and run JavaScript & TypeScript projects — all in Bun. Bun is a new JavaScript runtime with a native bundler, transpiler, task runner and npm client built-in.
Related contents: