npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@ydecide/cli

v0.2.6

Published

yDecide CLI - interact with decisions from the command line

Readme

yDecide CLI & MCP Server

@ydecide/cli — interact with yDecide decisions from the command line, and an MCP server that exposes the same operations to AI agents.

⚠️ PRIVATE ALPHA — access is gated by login, not by the package

The CLI package is published on npm so testers can install it easily, but yDecide itself is in a closed private alpha. The package is useless without an account on the alpha server.

  • This release connects to the yDecide alpha (dev) environment. It is a development backend, not production.
  • Do not put important data into the app yet. Alpha data may be reset, migrated, or wiped without notice. Treat everything you create as throwaway until general availability.
  • The server is the gate. Every command authenticates against the yDecide backend (ydecide auth login). Without an account that the yDecide team has granted, the CLI can do nothing beyond --help. Installing the package does not grant access.
  • The code is proprietary (license: UNLICENSED).
  • No uptime, data-retention, or backwards-compatibility guarantees apply during alpha.

What's in the box

  • ydecide — oclif-based CLI (bin/run.js) for decisions, alternatives, criteria, AHP pairwise/scores, Pros & Cons, collaborators, tags, sharing.
  • ydecide-mcp — MCP server (bin/mcp.js) over stdio, HTTP, or OAuth-gated HTTP, exposing the same operations as MCP tools for AI agents.

Install (alpha testers)

npm install -g @ydecide/cli
ydecide auth login        # requires an account granted by the yDecide team

You will only be able to do anything once the team has provisioned your account on the alpha server. Until then, login will fail.

Build & packaging

The distributed CLI must ship obfuscated JavaScript only — no TypeScript source, no .d.ts, and no source maps (the repo's root tsconfig enables inlineSourceMap, which would otherwise embed the full TS source as base64 in every .js).

| Command | Use | Output | |---------|-----|--------| | pnpm build | local dev / quick compile | readable JS, no env baked in (falls back to localhost). Not for distribution. | | pnpm build:publish | release build | audit gate → inject env → tscterser --compress --mangle --comments false → restore env. Mangled JS, no source maps, env baked in. |

⚠️ Do NOT use a bare npm pack / pnpm pack for distribution. The repo's .npmrc sets ignore-scripts=true (a supply-chain safeguard), which skips the prepack hook — so a bare pack ships a plain, un-injected build (empty Supabase key → users hit Error: supabaseKey is required at auth login). Always build first, then pack with scripts disabled:

# make a distributable tarball (local testing / hand-off):
pnpm build:publish
npm pack --ignore-scripts        # dist is already the correct injected+obfuscated build

To verify a tarball before distributing:

tar -xzf ydecide-cli-*.tgz -C /tmp/verify
tar -tzf ydecide-cli-*.tgz | grep -E '\.ts$|\.map$|\.sql$|\.d\.ts'    # must be empty
grep -rl sourceMappingURL /tmp/verify/package --include='*.js'         # must be empty
wc -l /tmp/verify/package/dist/mcp/tools.js                            # ~1 line = mangled
# supabase URL + key actually baked in:
grep -oE "https://[a-z0-9-]+\.supabase\.co" /tmp/verify/package/dist/lib/supabase.js
grep -oE "eyJ[A-Za-z0-9_.-]{50,}|sb_publishable_[A-Za-z0-9]+" /tmp/verify/package/dist/lib/supabase.js | head -1

Publishing to npm

The package is published publicly as @ydecide/cli (scoped packages need publishConfig.access = "public", already set). The package is public for easy install; access to yDecide is gated entirely by the server login, not by the package.

One-time setup:

  1. Create the @ydecide org on npmjs.com (the @ydecide scope must exist and you must own it before you can publish @ydecide/*).
  2. npm login as a member of that org.

Each release (from apps/cli, bump the version first if needed):

pnpm publish:npm     # build:publish (audit+inject+obfuscate) -> sbom -> npm publish --ignore-scripts --access public

Because .npmrc has ignore-scripts=true, do not rely on npm publish firing prepack. The publish:npm script runs the obfuscated/injected build explicitly first, then publishes with --ignore-scripts, so what ships is always the correct artifact regardless of the .npmrc setting.

Build-time env (.env.build)

build:publish bakes YDECIDE_SUPABASE_URL / YDECIDE_SUPABASE_ANON_KEY into the CLI so end users don't need to set env vars. Copy .env.build.example to .env.build and fill in the alpha project's URL + anon key (the anon key is public-safe by design; never put a service-role key here). .env.build is git-ignored.

License & source

Proprietary — all rights reserved. license: UNLICENSED (npm's value for closed-source packages: you may not use, copy, modify, or distribute this software without permission). The npm package is published publicly for ease of install, but the source is not open: it is built from the private yDecide monorepo and shipped obfuscated, and there is no public source repository for the CLI.

Organisation: https://github.com/yDecide

For access, issues, or questions during the alpha, contact the yDecide team.