DEV Community: Nevin-Bali100

I Turned My npm Package Into a Full DevOps Security Toolkit (v2.0.0)

Nevin-Bali100 — Fri, 22 May 2026 19:06:33 +0000

A few weeks ago I published dep-inspector-cli — a dependency analyzer for Node.js projects. It went from 107 → 240 weekly downloads in a day, which honestly surprised me.
But the more I used it in real projects, the more I kept thinking: dependency scanning is just one piece. What about secrets, Docker misconfigs, broken CI pipelines?
So I rebuilt it. v2.0.0 is out now — and it's a completely different tool.

What changed
v1 did one thing: dependency + vulnerability analysis.
v2 does six:

The features in detail
🔐 scan:secrets — what it catches
This one I'm most proud of. It scans your entire codebase for:

AWS Access Keys & Secret Keys
OpenAI, Groq, GitHub tokens
Hardcoded JWT secrets
MongoDB / PostgreSQL connection strings with credentials
Stripe & Razorpay live keys (not test keys)
Generic password= / secret= assignments in source files
.env files not listed in .gitignore

The last one is important — it doesn't scan .env content (that's expected to have secrets), but it checks whether .env is gitignored. A surprising number of projects miss this.

dep-inspector scan:secrets

🔐 Secrets Scanner

✅ .env is gitignored
[HIGH] JWT Secret hardcoded
  File : src/middleware/auth.ts:12
  Code : const JWT_SECRET = "my-super-secret-key-123"

🐳 scan:docker — Dockerfile analysis

dep-inspector scan:docker

🐳 Docker Analysis

[HIGH]   No non-root USER defined — container runs as root
[MEDIUM] No HEALTHCHECK instruction
[MEDIUM] Using ':latest' tag — not reproducible, pin a specific version
[LOW]    npm install without --omit=dev — devDependencies included in image

Checks for:

Container running as root
Missing HEALTHCHECK
:latest tag (non-reproducible builds)
Secrets in ENV/ARG
Missing .dockerignore
Single-stage builds

⚙️ scan:ci — GitHub Actions linting
This one catches things that are easy to miss in CI configs:

dep-inspector scan:ci

⚙️  CI/CD Pipeline Analysis

[HIGH]   deploy.yml: Deprecated '::set-output' — replace with $GITHUB_OUTPUT
[HIGH]   pr.yml: pull_request_target + actions/checkout is a privilege escalation risk
[MEDIUM] build.yml: Actions using @main — pin to a specific version
[LOW]    build.yml: No caching configured — builds will be slow
The pull_request_target + actions/checkout combination is a real security issue that's bitten several open source projects. Good to catch it early.

🔌 scan:ports — port monitor

dep-inspector scan:ports

🔌 Port & Process Monitor

[WARN] :27017 — Port 27017 is publicly exposed — restrict to localhost
[WARN] :6379  — Port 6379 is publicly exposed — restrict to localhost
[OK]   :3000
[OK]   :443

Flags database ports (MongoDB, Redis, PostgreSQL, MySQL) that are exposed on 0.0.0.0 instead of localhost. Works on both Linux and Windows.

📋 scan:logs — logger health

dep-inspector scan:logs

📋 Logger Health Check

✅ winston detected
⚠️  winston-daily-rotate-file not found — logs may grow unbounded
⚠️  LOG_LEVEL not set in .env — logger may default to verbose in production

Zero AI dependency by default
v1 had a problem: if you didn't have GROQ_API_KEY, the tool felt incomplete. Several people mentioned this in feedback.
v2 fixes it properly. Every scan is pure static analysis — regex, file parsing, CLI wrappers. No API calls, no keys, works offline, works in CI.
The --ai flag is additive:

# Works for everyone
dep-inspector scan:secrets

# Optional enhanced output if you have a Groq key
dep-inspector scan:secrets --ai

I also dropped LangChain entirely and moved to the official groq-sdk. Fewer dependencies, no transitive vulnerabilities, faster installs.

CI/CD integration

yaml# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  dep-inspector:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g dep-inspector-cli
      - run: dep-inspector scan:secrets --json > secrets.json
      - run: dep-inspector scan:ci
      - uses: actions/upload-artifact@v4
        with:
          name: security-reports
          path: "*.json"

Fail build on HIGH severity findings:

bashdep-inspector scan:secrets --json | node -e "
  let d = '';
  process.stdin.on('data', c => d += c);
  process.stdin.on('end', () => {
    const { findings } = JSON.parse(d);
    const high = findings.filter(f => f.severity === 'HIGH').length;
    if (high > 0) { process.exit(1); }
  });
"

What's next

1. .git history scanning (catch secrets that were deleted but still in history)
2. scan:docker — docker-compose multi-service analysis
3. --report flag — HTML report with charts
4. Custom rules via .depinspectorrc

Try it:

npm install -g dep-inspector-cli
cd your-project
dep-inspector scan:all

📦 npm: npmjs.com/package/dep-inspector-cli
🐙 GitHub: github.com/Nevin100/Dep-inspector-cli
If it's useful, a ⭐ on GitHub helps a lot. Issues and PRs are open

I Built & Published My First npm Package: dep-inspector-cli

Nevin-Bali100 — Mon, 20 Apr 2026 16:28:12 +0000

And it went from 107 → 240 weekly downloads in a day.!!!!

I've been building full-stack apps for a while now — Next.js, TypeScript, PostgreSQL, MongoDB, and much more. But I'd never shipped something to the npm registry before. *dep-inspector-cli * changed that.
Here's the honest story of what it does, why I built it, and what's coming next.

The Problem:

Every Node.js project eventually runs into this moment:
npm audit

You get a wall of text. Severity levels, CVE IDs, a list of packages - but zero context about which of your actual dependencies pulled the vulnerable one in, or what you should realistically do about it.
I wanted something that actually connected the dots.

The Solution:

What dep-inspector-cli Does

npm install -g dep-inspector-cli
dep-inspector

Run it from your project root and you get:
🌳 Visual Dependency Tree — shows your full dep graph with outdated versions flagged inline, not as a separate report.
🛡️ Vulnerability Scan — wraps npm audit but surfaces results with severity, version delta, and a breaking-change warning if the fix is a major bump.
🔗 Dependency Chains — this is the part I care most about. It traces exactly which package in your tree pulled in the vulnerable dep. No more guessing.
📦 Package Context — homepage, author, repo link for flagged packages. Because knowing what a package is matters when you're deciding whether to update or swap it out.
🤖 AI Insights (optional) — add --ai and it uses Groq (llama-3.3-70b) to give you a plain-English breakdown: what the vuln is, what it affects in your specific project, and a recommended fix.
📄 JSON Output — --json flag for CI/CD pipelines. Fail the build if vulnerabilities are found, upload reports as artifacts, the works.

Example Output:

⚠️  Vulnerability Analysis

📦 axios
  Severity   : HIGH
  Version    : 0.21.1 → 1.7.2
  ⚠️  Breaking change possible!
  Repo       : https://github.com/axios/axios
  🔗 Chain: root → axios

💡 Fix Suggestions
  → axios: npm install axios@latest

CI/CD Integration

- name: Check dependencies
  run: dep-inspector --json > dep-report.json

- name: Upload report
  uses: actions/upload-artifact@v3
  with:
    name: dependency-report
    path: dep-report.json

Tech Stack

I used following tech stack to develop the initial version of this npm package:

TypeScript (fully typed)
Commander.js for CLI parsing
Chalk + Ora for terminal UX
LangChain + Groq for the --ai flag
Semver for version comparison

What's Coming Next (v1.2+):

The current version handles vulnerability scanning well, but I want dep-inspector to be genuinely useful for production-grade projects too. Here's what I'm actively working on:

🏥 Dependency Health Scoring - an overall health score for your project's dependency tree. Factors: vulnerability count, how outdated your deps are, and whether maintainers are active. One number that tells you roughly how much debt you're carrying.
📊 Production Package Support - first-class analysis for packages like winston, pino, morgan (logging), helmet, cors, express-rate-limit (security middleware), dotenv, zod (config/validation). Currently, these show up in the tree, but there's no opinionated analysis. Coming soon: known best-practice checks and upgrade guidance specific to each ecosystem.
🔍 License Audit - flag packages with restrictive licenses (GPL, AGPL) that might be a problem in commercial projects.
📈 Trend Tracking — run dep-inspector over time and see if your health score is improving or regressing. Useful for teams that do regular dependency maintenance sprints.

Try It and can raise an issue and some suggestions in the comments:

npm install -g dep-inspector-cli
cd your-project
dep-inspector

📦 npm: npmjs.com/package/dep-inspector-cli
🐙 GitHub: https://github.com/Nevin100/Dep-inspector-cli

If it's useful, a ⭐ on GitHub goes a long way. And if you run into issues or have feature requests — PRs are open.

Revision and completing Nextronix.ai

Nevin-Bali100 — Tue, 06 May 2025 17:54:21 +0000

Just did revision of nextjs while completing the nextronix.ai Project.

Day 4 of coding and learning!!!

Nextronix.ai on the verge of complete!!

Nevin-Bali100 — Mon, 05 May 2025 16:23:06 +0000

Nextronix Diet: Forks Over Fail

Nevin-Bali100 — Sat, 03 May 2025 18:10:32 +0000

Welcome to Nextronix.ai — my AI-powered fitness diet planner, built as part of my journey to master full-stack development and AI integration! Powered by Gemini API, Vapi Voice Assistant, and crafted using Next.js, TypeScript, Convex DB, and Clerk, this project listens to your voice, gathers key details, and creates a free, personalized diet plan just for you.

🔹 AI Voice Assistant Calls (via Vapi)
🔹 Info gathering through natural conversation
🔹 Personalized fitness diet plan
🔹 Real-time database with Convex
🔹 Auth handled by Clerk
🔹 Built for learning, sharing, and consistency

Learning from the tutorial on Youtube: Codesistency

This is Day 2 (missed Day 1 😅), but I’m showing up consistently from here on!

Insightful Article Post

Nevin-Bali100 — Tue, 13 Aug 2024 18:17:39 +0000

I read this post on the dev.daily about the good and bad commit changes on the git which I found quite insightful.
It was able to draw some important conclusions regarding the approach of doing proper commits but also I would like to add my perspective that for some scenarios,one can stash their current changes and can move to higher branch.

post link : https://dev.to/sheraz4194/good-commit-vs-bad-commit-best-practices-for-git-1plc
credits: Sheraz Manzoor

My-Portfolio

Nevin-Bali100 — Mon, 12 Aug 2024 16:44:02 +0000

As a Full Stack Developer, I have created a dynamic portfolio using React JS and Framer-motion. It showcases my skills and projects, highlighting my expertise in building efficient and user-friendly web applications. Let's connect and explore new opportunities!