npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@iimmpact-sdn-bhd/catalog-sdk

v0.1.6

Published

React wrapper for the IIMMPACT hosted catalog checkout SDK.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

tommy.chuatommy.chuanashrinnashrin

Keywords

iimmpactcatalogsdkreactcheckout

Readme

IIMMPACT Catalog SDK

React wrapper for the hosted IIMMPACT catalog checkout experience.

This follows the same industry pattern used by Plaid Link and Stripe Embedded Checkout:

  1. The client backend creates a short-lived bootstrap token using HMAC credentials.
  2. The client frontend passes that token to this React wrapper.
  3. The wrapper opens the hosted catalog UI in a sandboxed iframe.
  4. The hosted UI exchanges the bootstrap token and runs catalog and order calls internally.
  5. The hosted UI reports payment handoff, exit, event, or error callbacks to the parent app.

HMAC credentials must never be sent to the browser.

Install

npm install @iimmpact-sdn-bhd/catalog-sdk

The package has React as a peer dependency:

npm install react react-dom

React usage

import { CatalogLink } from '@iimmpact-sdn-bhd/catalog-sdk'

export function CheckoutButton() {
  const bootstrapToken = 'token-from-your-backend'

  return (
    <CatalogLink
      bootstrapToken={bootstrapToken}
      widgetUrl="https://catalog.iimmpact.com"
      onSuccess={(result) => {
        console.log('Catalog checkout completed', result.orderId)
      }}
      onExit={({ reason }) => {
        console.log('Catalog checkout closed', reason)
      }}
      onError={(error) => {
        console.error('Catalog checkout failed', error.message)
      }}
    >
      {({ open, status }) => (
        <button disabled={status === 'loading'} onClick={open} type="button">
          Open catalog
        </button>
      )}
    </CatalogLink>
  )
}

Backend bootstrap-token flow

Your backend creates the bootstrap token with HMAC signing:

POST /v2/sdk/catalog/sessions
Content-Type: application/json
X-Api-Key: <client api key>
X-Timestamp: <unix timestamp>
X-Nonce: <unique nonce>
X-Signature: v1=<base64 hmac signature>

{
  "platform": "web",
  "user_id": "customer-123",
  "ic_number": "900101101234",
  "phone_number": "60123456789",
  "name": "Jane Customer",
  "email": "[email protected]"
}

Return only the short-lived session_token to your frontend. Do not return the HMAC secret.

platform, user_id, ic_number, and phone_number are required. name and email are optional.

Hosted UI configuration

The hosted catalog app must be deployed with the client origins that are allowed to embed it:

VITE_CATALOG_SDK_ALLOWED_ORIGINS=https://client.example.com,https://staging-client.example.com

Messages from other origins are ignored.

Build outputs

npm run build:hosted
npm run build:sdk
  • dist/ contains the hosted Vite app.
  • dist/sdk/ contains the npm package bundle and TypeScript declarations.

Verification

npm test
npm run build
npm audit --audit-level=moderate

Security model

  • HMAC signing stays server-side.
  • Browser receives only a short-lived bootstrap token.
  • Hosted UI receives the token through postMessage after origin validation.
  • The iframe is sandboxed and the npm wrapper exposes only callbacks.
  • Success callbacks return payment handoff metadata, not credentials or bearer tokens.

Local development

npm install
npm run dev

For staging E2E checks, configure .env from .env.example and use the SDK host test route at /__sdk-host-test.