I got hit by a vulnerable npm package in prod. So I built a tool to stop it happening again
**Show HN-style: I built DevShield — npm security auditor + credential breach checker in one tool**
Hey r/webdev — built this over the last few months and finally feel good enough about it to share.
**What it does:**
- Scans any npm package for CVEs, risk score, maintenance health, and download stats
- Checks emails and passwords against 7B+ breach records using k-Anonymity (password never sent in plain text)
- Team dashboard to track vulnerabilities across all your repos and set CI/CD block policies
- Breach timeline visualization built with D3
**Why I built it:** `npm audit` tells you there's a problem. It doesn't tell you how bad it is, whether the package is even maintained anymore, or whether your team's credentials are already out there.
It's free to try, no account needed for the npm and credential tools.
Happy to answer questions about how anything works under the hood. Especially the k-Anonymity implementation — that part was interesting to build.