hot summer · npm release inventory

any version untagged any version has signals

package	last release	release line	supported	latest major	direct (sum)	transitive (sum)	untagged

expand all

show suppressed sort:

Composition rules over Socket alerts + hot-summer's in-house signals (per-package burst, maintainer-count delta, provenance regression/drift) + reachability. Severity is deterministic — the rule that fired is shown alongside each finding. Suppression rules live in config/signals-allowlists.json server-side (no in-UI suppression yet).

OSV.dev scan — automated cross-check against known advisories

MAL-* only (supply-chain compromises, hide regular CVEs)

Pulls advisories live from api.osv.dev/v1/querybatch. Posts every (dep, version) in the inventory and groups any hits by the release that installs them. No auth, no API key, no new project deps.

For a custom IOC list, use the Reverse lookup tab — it accepts multi-line input for bulk scans with a clean/dirty rollup.

include prereleases (snapshot/canary/beta tags) show versions with no dep changes

Per-package dependency change log from npm publish history. Grouped by major version + Core line, newest first. Gaps in the version sequence (e.g. 5.125.8 absent between .7 and .9) are flagged automatically — either never published or unpublished after release; the registry collapses both cases. For Clerk, the broader pattern (paired with missing git tags) usually points at release-workflow flakiness rather than deliberate npm unpublishes.

examples: cookie + <0.7.0 (CVE-2024-47764) — ^@next/ (regex) — tanstack (substring) — bcoe + maintainer mode (SC blast radius). Paste multiple lines for a bulk IOC scan with clean/dirty rollup.

Build failed