npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@moshyfawn/safeship

v0.0.1

Published

One-shot setup for secure npm package publishing: OIDC trusted publishing, staged publishing, hardened CI/CD.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

moshyfawnmoshyfawn

Keywords

cligithub-actionsnpmoidcprovenancepublishsecure-publishingstaged-publishingsupply-chaintrusted-publishing

Readme

safeship

One-shot setup for secure npm package publishing: OIDC trusted publishing, staged publishing, hardened GitHub Actions workflows, and branch protection.

Usage

cd your-package
bunx @moshyfawn/safeship setup    # or: npx @moshyfawn/safeship setup

safeship inspects your repo, asks what to set up, and applies it. The one item it can't automate is printed as a clear follow-up.

Flags

--dry-run             Show what would happen without making changes
-y, --yes             Skip prompts; pick reasonable defaults
--package <name>      Override detected package name
--repo <owner/name>   Override detected GitHub repo

What it sets up

| Layer | What | Automated | | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------------- | | Release workflow | OIDC + npm stage publish of a prebuilt tarball; SHA-pinned actions; default-deny perms; --ignore-scripts everywhere | ✓ | | CI workflow | PR + push-to-main lint, format-check, build | ✓ | | GitHub Actions repo settings | SHA-pinning required, default read perms, allow Actions to approve PRs | ✓ | | GitHub environment | npm-publish deployment environment | ✓ | | Branch ruleset | Block deletion + force-push, require linear history, squash-only PRs, required status checks | ✓ | | npm trusted publisher | GitHub Actions binding via npm trust github --allow-stage-publish | ✓ (interactive 2FA) | | "Require 2FA, disallow tokens" on the package | npm UI toggle | Manual - instructions printed |

Requirements

  • Node ≥ 22.14.0 (also runs under Bun ≥ 1.3 via bunx)
  • npm ≥ 11.15.0 (for npm trust and npm stage features)
  • gh CLI authenticated - required for the GitHub-side modules
  • npm authenticated - required for the trusted-publisher module

If gh or npm is missing or unauthenticated, safeship skips those modules with a warning and still writes the workflow files.

Why staged publishing?

npm stage publish uploads a tarball to a holding area; a maintainer with 2FA must approve before it goes live. Even if your CI is compromised, malicious code can't reach the public registry without the human in the loop. Combined with OIDC trusted publishing, SHA-pinned actions, --ignore-scripts, and branch protection, this is the layered defense recommended after the 2025 Shai-Hulud supply-chain attacks.

Contributing

bun install
bun run build

When opening a PR with user-facing changes, add a changeset:

bun run changeset

License

MIT