npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@laststance/npm-publish-tool

v2.0.0

Published

Automates the setup of release-it in user projects with proper versioning, changelogs, and GitHub releases

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ryotamurakamiryotamurakami

Keywords

release-itnpmpublishautomationgithub-actionsversioningchangelog

Readme

Feature

🚀 Release npm package with npm run push-release-commit command 📦 Autogenerate Github release page 🔧 Publish NPM in GitHub Actions by release-it 🔐 OIDC Trusted Publishing (no NPM_TOKEN needed)

Usage (after install complete)

npm run push-release-commit

Requirements

  • Node.js 20.0.0 or higher

1. Installation

npx @laststance/npm-publish-tool@latest init # generate .release-it.json/.github/workflows/release.yml, add `push-release-commit` npm script in package.json
npm install -D @laststance/npm-publish-tool # install `push-release-commit` script file

2. Configure npm Trusted Publishing (OIDC)

Why OIDC? (Shai-Hulud Attack Background)

In late 2025, the Shai-Hulud worm attack compromised 1,150+ npm packages by stealing NPM_TOKEN secrets from repositories. The attack:

  • Affected 20+ million weekly downloads
  • Caused ~$50M in cryptocurrency theft
  • Was the first self-replicating worm in the JavaScript ecosystem

npm's response: OIDC Trusted Publishing (GA July 2025) eliminates long-lived tokens entirely. This tool now uses OIDC by default - no NPM_TOKEN needed.

Setup Steps

Step 1: First Publish (One-time only)

OIDC only works after your package exists on npm. For the first publish:

npm publish --access public

Step 2: Configure Trusted Publishing on npmjs.com

  1. Go to npmjs.com → Your Package → Settings
  2. Scroll to "Trusted Publishing" section
  3. Click "Add GitHub Actions"
  4. Fill in: | Field | Value | |-------|-------| | Owner | Your GitHub username or org (e.g., laststance) | | Repository | Your repo name (e.g., my-package) | | Workflow | release.yml | | Environment | (leave empty) |
  5. Click "Add Trusted Publisher"

Step 3: (Recommended) Disable Token Publishing

For maximum security, after enabling OIDC:

  1. Go to Package Settings → Publishing Access
  2. Select "Require two-factor authentication and disallow tokens"

This completely disables token-based publishing while OIDC continues working.

Required Secret

Only one secret is needed now:

  • GITHUB_TOKEN: Automatically provided by GitHub Actions (no setup needed)

Note: NPM_TOKEN is no longer required with OIDC Trusted Publishing.

How OIDC Works

┌─────────────────────────────────────────────────────────────┐
│                    OIDC Trusted Publishing                  │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  GitHub Actions                        npmjs.com           │
│  ┌───────────┐                        ┌───────────┐        │
│  │ release.  │  ──── OIDC Token ────► │  Package  │        │
│  │ yml       │       (short-lived)    │  Registry │        │
│  └───────────┘                        └───────────┘        │
│       │                                     │              │
│       │ id-token: write                     │ Verify:      │
│       │ permission                          │ - owner      │
│       ▼                                     │ - repo       │
│  Cryptographic                              │ - workflow   │
│  Identity                                   ▼              │
│                                        ✅ Publish!         │
│                                        + Provenance        │
└─────────────────────────────────────────────────────────────┘

3. Update .github/workflows/release.yml

Update the .github/workflows/release.yml file with your own build steps.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

MIT © Ryota Murakami

Related