npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

create-daloy

v0.35.0

Published

Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

devlinduldulaodevlinduldulao

Keywords

daloydaloyjsscaffoldcreateinitstartertemplateclirestapiopenapi

Readme

create-daloy

Scaffold a new DaloyJS project in seconds.

# pick the package manager you actually use
pnpm create daloy@latest my-api
npm  create daloy@latest my-api
yarn create daloy           my-api
bun  create daloy           my-api

The CLI is interactive when arguments are missing. It will ask you for:

  • A project directory name (defaults to my-daloy-app)
  • A template (node-basic, vercel-edge, cloudflare-worker, bun-basic, or deno-basic)
  • A package manager (pnpm, npm, yarn, or bun) — not asked for the deno-basic runtime template
  • Whether to install dependencies
  • Whether to initialize a git repository
  • Whether to add hardened GitHub Actions and security/governance files

Interactive runs use a polished terminal UI with a DaloyJS welcome banner, arrow-key template and package-manager pickers, progress indicators, and a boxed completion summary. Non-TTY environments and --yes mode keep a plain, script-friendly transcript with the same decisions and next steps.

Non-interactive usage

pnpm create daloy@latest my-api \
  --template node-basic \
  --package-manager pnpm \
  --with-ci \
  --code-owner @acme/security \
  --install \
  --git

Flags

| Flag | Description | | --- | --- | | --template <name> | node-basic (default), vercel-edge, cloudflare-worker, bun-basic, or deno-basic. | | --package-manager <pm> | pnpm (default), npm, yarn, or bun. Ignored for deno-basic. | | --list-templates | Print available templates with descriptions. | | --install / --no-install | Install dependencies after scaffolding. Defaults to Y for npm/yarn/bun and N for pnpm (so first-time runs are not blocked by the 24h minimumReleaseAge embargo and so you can review the scaffold's hardened .npmrc and pnpm-workspace.yaml before the first install). | | --git / --no-git | Initialize a git repository. Defaults to interactive. | | --minimal | Strip the bookstore demo route and the built-in /docs + /openapi.json routes so only the framework bootstrap and /healthz ship. | | --with-ci / --no-ci | Add the hardened GitHub Actions, Dependabot, CODEOWNERS, SECURITY.md, and lockfile-source verification bundle. Defaults to Y so scaffolded projects are secure by default. | | --with-deploy / --no-deploy | Add the starter .github/workflows/deploy.yml. Defaults to the same value as --with-ci, so you can keep CI but opt out of deploy scaffolding with --no-deploy. | | --code-owner <owner> | Replace the CODEOWNERS placeholder when --with-ci is used, for example @acme/security. | | --force | Overwrite an existing non-empty directory. | | --yes | Accept all defaults; never prompt. | | --help | Print usage and exit. | | --version | Print version and exit. |

Templates

Use create-daloy --list-templates to inspect available templates without creating a project.

node-basic

A production-ready Node.js HTTP server using @daloyjs/core with:

  • Strict TypeScript and tsx for instant dev runs.
  • Hardened .npmrc for safer installs.
  • secureHeaders, requestId, and rateLimit enabled by default (rateLimit is global until you configure keyGenerator or trusted proxy headers).
  • A sample GET /healthz and contract-first GET /books/:id route with Zod validation.
  • pnpm gen wired to emit OpenAPI 3.1 + a typed Hey API client.
  • Auto-mounted Scalar docs can be branded by changing docs: true to docs: { scalar: { theme, customCss } }.

cloudflare-worker

A minimal Cloudflare Worker bootstrap using @daloyjs/core/cloudflare with:

  • wrangler.toml ready to deploy.
  • secureHeaders and requestId enabled by default, with smaller edge-friendly body and timeout limits.
  • A Zod-validated /healthz route and contract-first /books/:id route exposed via toFetchHandler(app).

vercel-edge

A Vercel Edge API bootstrap using @daloyjs/core/vercel with:

  • api/[...path].ts catch-all routing so DaloyJS owns the API surface.
  • export const config = { runtime: "edge" } ready for Vercel Edge.
  • Node.js migration notes using Vercel's default { fetch } export shape.
  • vercel dev / vercel deploy scripts.
  • secureHeaders and requestId enabled by default, with smaller edge-friendly body and timeout limits.
  • A health route and bookstore route mirroring the Node starter.

bun-basic

A Bun runtime starter using @daloyjs/core/bun with:

  • bun --hot src/index.ts for instant reloads.
  • bun test wired to in-process app.request(...) checks.
  • The same starter security middleware as the Node template (secureHeaders, requestId, rateLimit).
  • A health route and contract-first /books/:id route with Zod validation.
  • Hey API codegen wired to bun run gen:openapi + bun run gen:client.

deno-basic

A Deno runtime starter using @daloyjs/core/deno with:

  • A deno.json with deno task dev, test, and gen:openapi tasks.
  • @daloyjs/core and Zod loaded via npm: import-map specifiers.
  • Minimum-permissions dev script (--allow-net --allow-env --allow-read).
  • The same starter security middleware as the Node template (secureHeaders, requestId, rateLimit).
  • A health route and contract-first /books/:id route with Zod validation.
  • The CLI skips Node-style installs for this template (no package.json).

Minimal scaffolds

Pass --minimal to drop the bookstore demo route and the built-in /docs + /openapi.json API docs routes from any template that supports them. The scaffolded app is left with the framework bootstrap and a single /healthz route — the smallest realistic starting point:

pnpm create daloy@latest my-api --template node-basic --minimal --yes

Sentinel comments (// daloy-minimal:strip-start <tag> / // daloy-minimal:strip-end <tag>) survive a default scaffold so you can re-run with --minimal, or delete the marked blocks by hand later.

Hardened GitHub security bundle

Pass --with-ci when you want the generated project to start with the same security posture as a serious company repo:

pnpm create daloy@latest my-api \
  --template node-basic \
  --package-manager pnpm \
  --with-ci \
  --code-owner @acme/security

For Node-style templates, the bundle adds:

  • .github/workflows/ci.yml with top-level permissions: {}, pinned actions, harden-runner, persist-credentials: false, no package-manager cache, and install scripts disabled.
  • .github/workflows/deploy.yml as a manual-only deployment starter. Container templates publish a Docker image to GHCR with the repo-scoped GITHUB_TOKEN, while Vercel and Cloudflare templates ship concrete CLI deploy steps that read their platform credentials from GitHub Actions secrets/variables. The deploy job is gated to main or a tag by default, and Node-style templates re-run verify:lockfile before shipping.
  • .github/workflows/vuln-scan.yml — a daily scheduled SCA cron that runs the package manager's audit against the committed lockfile. Catches CVEs disclosed after the last PR or push and provides SOC 2 CC7.1 (continuous vulnerability management) evidence even when developers are not touching the repo.
  • .github/workflows/osv-scan.yml — a SECOND, independent SCA source. vuln-scan.yml queries the package manager's audit feed (GHSA); this one runs Google's OSV-Scanner against the committed lockfile and cross-references the OpenSSF malicious-packages corpus, so a malware advisory that lands in OSV.dev before it propagates to GHSA still fails the build. The binary is downloaded from a pinned official release and verified by SHA-256 before execution — no third-party action is added to the supply chain just for this scan. This is the missing layer the Aikido SAST vs SCA and npm-audit-guide write-ups warn about, and the Deno scaffold gets it too (Deno has no audit built in, so without OSV-Scanner a Deno scaffold would have no scheduled SCA at all).
  • .github/workflows/secret-scan.yml — runs gitleaks on every PR / push (working tree) and on a daily schedule across the full git history, so a credential leaked anywhere in any commit, branch, or tag is surfaced even if GitHub-native push protection missed it. The gitleaks binary is downloaded from a pinned official release and verified by SHA-256 before execution — no third-party action is added to the supply chain just for this scan. See Aikido's Secrets Detection guide for why history-aware scanning is the floor and not the ceiling.
  • .github/workflows/opengrep.yml — a second SAST source alongside CodeQL, using Opengrep (an open-source Semgrep fork) with the same pinned-binary + SHA-256-verified pattern as the OSV and gitleaks scans.
  • .github/workflows/container-scan.yml — runs Trivy against the image produced by the template's _Dockerfile (filesystem scan on PR, full image scan on push to main) so a base-image CVE or a vulnerable layer is surfaced before deploy.
  • .github/workflows/dast.yml — a manual-only dynamic-analysis workflow that boots the scaffolded API and runs an OWASP ZAP baseline scan against it, for teams that want a black-box check before promoting a release.
  • CodeQL, OpenSSF Scorecard, zizmor, Dependabot, CODEOWNERS, and SECURITY.md.
  • scripts/verify-lockfile-sources.mjs plus a verify:lockfile package script that rejects git dependencies and non-registry tarball URLs in text lockfiles.

The bundle deliberately does not generate an npm publish workflow. create-daloy scaffolds REST API services, not libraries; if you later carve out a reusable package, opt into npm trusted publishing yourself.

For deno-basic, --with-ci generates a Deno-native CI workflow, a manual-only container publish starter for GHCR that is guarded to main or a tag by default, plus CodeQL, Opengrep, OSV-Scanner (the only scheduled SCA layer a Deno scaffold has, since Deno ships no audit), Scorecard, zizmor, Dependabot for GitHub Actions, CODEOWNERS, and SECURITY.md.

If you want the governance bundle but not the deployment starter, pass --with-ci --no-deploy. If you only want a deployment starter, pass --with-deploy --no-ci.

If you omit --code-owner, the generated CODEOWNERS file uses @your-org/security-team as a placeholder. Replace it before relying on branch protection. You should also enable GitHub secret scanning, push protection, and required status checks in the repository settings.

Container-first scaffolds

Every template (Node, Bun, Vercel Edge, Cloudflare Worker, and Deno) ships a production-oriented Dockerfile and .dockerignore with the secure-by-default posture from @daloyjs/core 0.24.0: a non-root user, STOPSIGNAL SIGTERM, tini as PID 1, and a HEALTHCHECK pointed at /readyz. Node-style templates also ship an .env.example. None of this is required — delete or replace whatever you do not need.

What the CLI guarantees

  • Zero runtime dependencies (uses only Node built-ins) for a clean supply-chain footprint.
  • A modern terminal experience with Unicode/color capability detection and ASCII fallbacks.
  • Templates are copied verbatim from this package's templates/ directory.
  • Files and folders prefixed with _ are renamed on copy (_gitignore.gitignore, _npmrc.npmrc, _github/.github, _agents/.agents/, _DockerfileDockerfile, _dockerignore.dockerignore, _env.example.env.example) to survive npm packing.
  • pnpm-specific .npmrc hardening is kept only when you choose pnpm; other package managers get a clean project without unsupported config warnings.
  • pnpm projects ship with ignore-scripts=true, minimum-release-age=1440, verify-store-integrity=true, prefer-frozen-lockfile=true, and strict-peer-dependencies=true by default.
  • --with-ci projects ship with pinned GitHub Actions workflows, CODEOWNERS, Dependabot, SECURITY.md, and lockfile-source verification.
  • The CLI never executes template scripts and never makes network calls beyond the package manager you select.

AI agent helper files

Every scaffolded project ships with two files that help AI coding agents (Copilot, Claude Code, Cursor, Codex, etc.) understand and work in your project:

  • AGENTS.md (repo root) — a small, top-of-context file (per the open AGENTS.md convention): one-line project description, package manager / runtime, project shape, core rules, and the few commands an agent needs. It links to the full skill below.
  • .agents/skills/daloyjs-best-practices/SKILL.md — comprehensive operational guidance following the open agents/skills/<skill-name>/SKILL.md convention: when to use the skill, project structure, core workflows (adding routes, regenerating the OpenAPI spec and client), schema and validation conventions, error-handling patterns, middleware order, testing best practices (happy and unhappy paths), security best practices, logging and observability notes, configuration and secrets handling, deployment notes, pitfalls and guardrails, and process expectations.

Both files are tailored to the chosen template (Node, Bun, Deno, Vercel Edge, or Cloudflare Workers), and Node-style templates rewrite their commands to match your selected package manager. They follow the "instruction budget" advice — small root file, progressive disclosure for the rest — so they don't waste agent tokens. Edit or delete them freely; the framework does not depend on them at runtime.