npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@passportsign/cli

v0.1.0

Published

passportsign CLI: bind a GitHub account to a passport-holding human via zkPassport, verify bindings against public Sigstore Rekor, generate self-contained inline SVG badges.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

debugmcpdevdebugmcpdev

Keywords

passportsignclisigstorerekorzkpassportin-totopersonhoodattestationidentity

Readme

@passportsign/cli

passportsign CLI — bind a GitHub account to a passport-holding human via zkPassport, publish the attestation to the public Sigstore Rekor transparency log, and emit a self-contained inline SVG badge.

Install

npm install -g @passportsign/cli

Or one-shot via npx:

npx @passportsign/cli bind <your-github-username> --country

Requires Node 22.5+ (uses node:sqlite). You also need the ZKPassport mobile app (iOS / Android) with your NFC e-passport loaded.

Commands

passportsign bind <github_username>

Full v0 binding flow:

  1. Generate a one-time nonce.
  2. Prompt you to create a public GitHub gist named passportsign.txt containing that nonce.
  3. Verify the gist via the GitHub API.
  4. Render a QR code; you scan with the ZKPassport app, approve the disclosure on your phone.
  5. Submit the resulting in-toto attestation to public Sigstore Rekor.
  6. Write binding.passportsign.json and passportsign-badge.svg to the current directory.

Pass --country to disclose your passport's issuing country (otherwise the attestation is personhood-only).

passportsign verify <bundle.json>

Run four cryptographic checks against a binding bundle:

  • Statement bytes hash to the Rekor entry's recorded payloadHash
  • Merkle inclusion proof verifies against the captured root
  • Captured root is consistent with the current witnessed root (no log rewrite that orphans the entry)
  • zkPassport SDK accepts the proof and the unique identifier matches the statement

All checks run without any dependency on a passportsign.dev operator — only public Sigstore Rekor and a local zkPassport SDK.

Flags:

  • --no-rekor-refetch — offline structural verification only
  • --gist-recheck — also re-fetch the captured gist URL as a liveness signal

What the badge claims

At time T, a human holding a valid government-issued passport (and optionally: a citizen of country X, if the subject chose to disclose) was in control of the GitHub account @username.

Explicit non-claims: this badge does not assert that the code is human-written, that AI is not used, that the maintainer is currently in control of the account, or that they are trustworthy. See docs/passportsign.md §1 for the full list.

License

Apache-2.0. Source: https://github.com/debugmcp/passportsign