POC Walkthrough — helmet (npm)
Last updated: 2026-05-24
The helmet package is the canonical healthy security middleware walkthrough in the CleanLibrary POC. It demonstrates the stable ALLOW verdict across major version boundaries — useful for understanding "what does a clean verdict look like" and validating that legitimate security tooling doesn't produce false-positive risk signals.
Versions covered
| Version | Decision | Severity | Confidence |
|---|---|---|---|
| 7.0.0 | ALLOW | None | 0.93 |
| 7.1.0 | ALLOW | None | 0.94 |
| 8.0.0 | ALLOW | None | 0.95 |
| 8.1.0 | ALLOW | None | 0.96 |
| 8.2.0 | ALLOW | None | 0.97 |
Confidence rises modestly with version recency (more deployment signal). All versions return ALLOW with no findings.
1. Query a verdict
$ curl -sH "Authorization: Bearer your-poc-key" \
https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/helmet/8.2.0 | jq
{
"verdict_id": "01KDVDNA00000000000000200A",
"verdict": "ALLOWED_NO_FINDINGS",
"source": "ALLOWED_NO_FINDINGS",
"confidence": 0.97,
"composite_score": 11,
"severity": "NONE",
"reasoning": "helmet 8.2.0 — security middleware; no findings; widely deployed",
...
}
2. Cross-version consistency check
for v in 7.0.0 7.1.0 8.0.0 8.1.0 8.2.0; do
echo -n "helmet@$v: "
curl -sH "Authorization: Bearer your-poc-key" \
https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/helmet/$v | jq -r .verdict
done
# helmet@7.0.0: ALLOWED_NO_FINDINGS
# helmet@7.1.0: ALLOWED_NO_FINDINGS
# helmet@8.0.0: ALLOWED_NO_FINDINGS
# helmet@8.1.0: ALLOWED_NO_FINDINGS
# helmet@8.2.0: ALLOWED_NO_FINDINGS
All ALLOW. No false-positives across the major-version boundary.
3. SDK flow
import { CleanlibClient } from "@cleanstart/cleanlib-sdk";
const client = new CleanlibClient("https://cleanapp.clnstrt.dev", { apiKey: "your-poc-key" });
const verdict = await client.fetchVerdict("npm", "helmet", "8.2.0");
// → ALLOWED_NO_FINDINGS, confidence 0.97
4. VS Code flow
CleanLibrary: Fetch verdict for package → npm → helmet → 8.2.0.
Expected: Green check icon, ALLOW, "security middleware; no findings; widely deployed".
5. What this walkthrough validates
| Capability | Demonstrated by helmet |
|---|---|
| Stable ALLOW for healthy package | Five versions, all ALLOW |
| No false-positive risk signal | Confidence high, composite_score low (11-15), severity None |
| Cross-major-version consistency | 7.x and 8.x both ALLOW |
| Confidence signaling sustainability | Confidence rises modestly with version recency |
6. What to look for during evaluation
- Does helmet's ALLOW verdict match your team's existing assessment?
- Does the "no findings; widely deployed" reasoning give your engineers actionable signal (low-effort go-ahead)?
- Compare confidence across 7.0.0 vs 8.2.0 — does the gradient match your team's intuition about recency + adoption signal?
Feedback channel: see API Key Onboarding §7.