npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ep-verify

v0.2.0

Published

One-command offline check of an EP authorization receipt (EP-RECEIPT-v1) against issuer keys you pin. Prints VERIFIED or REFUSED with a machine-readable reason and exits 0/1; fails closed on any error. A thin CLI over @emilia-protocol/verify — it proves s

Readme

ep-verify

Verify one EP authorization receipt from the command line. Offline, fail-closed, no configuration beyond the issuer keys you pin. A thin CLI over @emilia-protocol/verify.

Status: prepared for the ep-verify npm name; not yet published. From this repository, run node packages/ep-verify/cli.mjs wherever the examples say ep-verify.

Install

npm install -g ep-verify   # once published

Verify one receipt in one line

ep-verify receipt.json --keys keys.json

keys.json holds the issuer public key(s) you pin — a base64url SPKI string, an array of them, or { "keys": [...] }. Without --keys the answer is always REFUSED (no_pinned_keys): a key that travels inside the receipt proves integrity, not trust.

Output is two lines — VERIFIED or REFUSED, then one JSON line with a machine-readable reason and the individual checks. Exit code 0 only on VERIFIED; any error, missing input, or failed check exits 1.

What VERIFIED means

The receipt's Ed25519 signature over its canonical payload verifies against a key you pinned, and — if the receipt carries a Merkle anchor — the EP-MERKLE-v2 inclusion proof reconstructs the claimed root.

What VERIFIED does NOT mean

  • Not business correctness. Verification proves signature, binding, and anchor/log integrity — never that the authorized action was appropriate, lawful, or wise.
  • Not authority. Whether a signing key should be trusted is your pinning decision; ep-verify checks against exactly the keys you supply.
  • Not revocation or freshness. This is a point check of one document; replay defense and freshness windows belong to an enforcement point such as @emilia-protocol/gate.
  • Not a conclusion. EP is not an auditor, regulator, or insurer; this output supports a decision, it never concludes one.

Cross-implementation note: the JavaScript, Python, and Go verifiers live in one repository — a consistency check, not independent implementations. A separately authored Rust verifier is rebuilt from a pinned public commit and tree and passes the pinned 16-suite/164-vector clean-room bundle plus 359 hostile cases. Strict independently attested construction acceptance remains zero. The EP receipt formats are specified in active INDIVIDUAL Internet-Drafts, not IETF-adopted or endorsed.

License

Apache-2.0