i.live

PackGuard, auditing itself.

Every week a GitHub Action runs packguard scan against the docs site that ships the install page you just read. The output below is real CLI JSON — no screenshots, no fixtures. If the scanner surfaces a new CVE or a malware hit on our own stack, you read about it here before we do.

Scanned packguard v0.1.0
ii.headline
tracked01
16
npm · pnpm
policy02
1
1 violation · 13 warnings · 1 insufficient
cves matched03
0
0 critical · 0 high · 0 medium · 0 low
supply-chain04
1
0 malware · 1 typosquat suspect

Target: docs-site · Ecosystems: npm · Package manager: pnpm · Total transitive deps: 612 (edges: 1299)

iii.compliance

Policy and the rows it flags.

The site's own .packguard.yml sits here. Every risk row below is a package drifting against that policy — not a synthetic fixture.

Effective policy

.packguard.yml

Conservative defaults, no overrides. The three-axis offset: { major: 0, minor: -1, patch: 0 } says latest major, one minor behind, always grab the latest patch. On a stack pinned to Next 16 / React 19 / Nextra 4, any dep living more than one minor ahead of its target shows up as drift. That drift is the signal.

offset.major
0
offset.minor
-1
offset.patch
0
stability
stable
allow_patch
true
min_age_days
7
block.cve_severity
[high, critical]
block.malware
true
block.typosquat
warn
block.yanked
true
  • @types/nodeviolation
    npm22.9.025.6.0

    @types/node: installed 22.9.0 is behind policy-allowed 24.12.2

  • nextratyposquat
    npm4.6.14.6.1

    nextra: 1 typosquat suspicion(s)

  • @tailwindcss/postcssinsufficient
    npm4.2.44.2.4

    @tailwindcss/postcss: policy filters (stability / min_age_days / offset / cve / malware) dropped all 784 known versions

  • @react-three/dreiwarning
    npm10.7.710.7.7

    @react-three/drei: installed 10.7.7 is ahead of policy-allowed 9.122.0

  • @react-three/fiberwarning
    npm9.6.09.6.0

    @react-three/fiber: installed 9.6.0 is ahead of policy-allowed 8.18.0

  • @types/reactwarning
    npm19.0.1419.2.14

    @types/react: installed 19.0.14 is ahead of policy-allowed 18.3.28

  • @types/react-domwarning
    npm19.0.419.2.3

    @types/react-dom: installed 19.0.4 is ahead of policy-allowed 18.3.7

  • @types/threewarning
    npm0.184.00.184.0

    @types/three: installed 0.184.0 is ahead of policy-allowed 0.183.1

  • gray-matterwarning
    npm4.0.34.0.3

    gray-matter: installed 4.0.3 is ahead of policy-allowed 3.1.1

  • nextwarning
    npm16.2.416.2.4

    next: installed 16.2.4 is ahead of policy-allowed 15.5.15

  • nextra-theme-docswarning
    npm4.6.14.6.1

    nextra-theme-docs: installed 4.6.1 is ahead of policy-allowed 3.3.1

  • reactwarning
    npm19.1.119.2.5

    react: installed 19.1.1 is ahead of policy-allowed 18.3.1

iv.supply-chain

No CVE matches. No malware.

One typosquat suspect flagged — a known false positive. Real CVE / malware matches would show up here.

Typosquat heuristic

human review
  • nextraresembles next
    edit distance 2 · score 0.5
v.graph

The dependency tree, slimmed.

A procedural view over 60 of the 612 total transitive dependencies — roots and their first neighbours, plus anything risk-flagged. The full graph lives behind packguard graph.

live snapshot60 / 612 nodes · 83 edges rendered
For the full traversal: packguard graph docs-site/ --format json

Run it against your own repo.

Same CLI that produced this page. Reads your lockfiles, pulls OSV + GHSA intel, writes to a local SQLite store. No cloud.

Install PackGuard