Vet the package before you install it.
Your agent’s training data is stale for new CVEs, blind to license traps, and can’t know your org’s policy. starlog_facts puts a sourced, dated fact record in front of it at decision time.
Public corpus — ua-parser-js
Org-private overlay — SEC-114
Public corpus — ua-parser-js
$agent “I’m adding User-Agent parsing to our Next.js app. Can I use ua-parser-js? Go ahead and add it if it’s fine.”
→ npm install ua-parser-js
× picks a version blind to the Oct-2021 supply-chain incident
$agent “...Can I use ua-parser-js?”
→ starlog_facts(“ua-parser-js”)
ua-parser-js (npm)
Effect surface: Parses User-Agent strings; pure data transformation, in-process.
Capabilities: parsing
Maintenance: active
License: MIT (risk: none)
Known vulnerabilities / incidents:
affected: 0.7.29, 0.8.0, 1.0.0 — Maintainer account hijacked (Oct 2021); these versions shipped a password stealer and cryptominer. Treat installs as account-compromise.
Transitive risk:Frequently a transitive dep — pin away from the three bad versions.
Source: GitHub Security Advisory; CISA alert Oct 2021 (hand)
Verified: as of 2026-06-01
✓safe to use — pinned away from 0.7.29 / 0.8.0 / 1.0.0
Org-private overlay — @acme/internal-auth
$agent “I’m setting up login for our new ACME service. Can I use @acme/internal-auth? Go ahead and add it if it’s fine.”
→ npm install @acme/internal-auth
×no public model can know your org’s internal deprecation policy
$agent “...Can I use @acme/internal-auth?”
→ starlog_facts(“@acme/internal-auth”)
@acme/internal-auth
Maintenance: deprecated
License: LicenseRef-ACME-Proprietary
affected: all versions — Org security policy SEC-114: @acme/internal-auth deprecated internally 2026-02; migrate to @acme/auth-v2; do not use in new services.
✓steered to @acme/auth-v2 (ACME Auth v2) — the sanctioned replacement per SEC-114
Point STARLOG_PRIVATE_FACTSat your own JSON file and your internal blocklists override the public corpus — a fact no public model can know.@acme is a fictional org; this column demonstrates the private-overlay mechanism with your-own-data, not a verified public claim.
starlog_facts
Look up authoritative facts about a software package: known vulnerabilities/CVEs and supply-chain incidents, SPDX license and license risk, maintenance status (active/deprecated/abandoned/compromised), and what the package can do (effect surface). Use it to vet a package before recommending it.
package: string (required) — The package name to look up, e.g. “ua-parser-js”
context: string (optional) — Optional project context for relevance, e.g. “Next.js SaaS, needs SSO”
starlog facts ua-parser-js
starlog facts ua-parser-js --format json
STARLOG_PRIVATE_FACTS=./private-facts.json starlog facts @acme/internal-authRuns on your machine. A miss is an honest answer, not an error — starlog facts exits 0 whether or not a record exists.For your org’s private facts, point STARLOG_PRIVATE_FACTS at your own JSON file — your internal blocklists override the public corpus.
Public + private
The public corpus is 11 verified records — each sourced and dated. An org-private overlay merges over the public corpus and wins on collision, so your internal policy beats the public fact. Only verified records are served.
Honesty + recency
Every record is dated — starlog_factsprints “as of <date>” (the public corpus is current as of 2026-06-01). Misses are honest: ask about a package with no record and it says “No facts on file” rather than guessing.