npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

node-qiitar

v0.1.2

Published

Node.js bindings for qiitar (macOS Keychain). Port of node-keytar's core API.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

pr-pr-purinpr-pr-purin

Keywords

Readme

node-qiitar

Node.js bindings for qiitar via napi-rs. Mirrors the core async API of node-keytar.

Platform

macOS only. Linux and Windows are not supported.

Build

cd crates/node-qiitar
npm install
npm run build              # release build → node-qiitar.darwin-{arch}.node

npm run build:debug produces an unoptimized build for faster iteration.

API

setPassword(service: string, account: string, password: string): Promise<void>
getPassword(service: string, account: string): Promise<string | null>
deletePassword(service: string, account: string): Promise<boolean>

Semantics match qiitar:

| Function | Resolves to | Behavior | | --- | --- | --- | | setPassword | void | Upserts. Existing entry for (service, account) is overwritten. | | getPassword | string \| null | null if no entry exists. | | deletePassword | boolean | false if no entry existed. |

Usage

const { setPassword, getPassword, deletePassword } = require('node-qiitar')

await setPassword('com.example.myapp', '[email protected]', 'hunter2')

const pw = await getPassword('com.example.myapp', '[email protected]')
// 'hunter2'

const deleted = await deletePassword('com.example.myapp', '[email protected]')
// true

From a separate project, install via filesystem reference:

npm install file:/path/to/qiitar/crates/node-qiitar

Errors

Promises reject with a JS Error whose message is prefixed with a fixed tag so callers can branch without parsing prose:

  • [NotUtf8] ... — the stored bytes weren't valid UTF-8.
  • [KeychainError] ... — an error from the underlying Keychain Services call.

errSecItemNotFound is not an error here; getPassword resolves to null and deletePassword resolves to false in that case.

Testing

npm run build
npm test

Tests run against the real user Keychain. Each test uses a unique service name and cleans itself up in a finally block.

Lint & format

JS/JSON formatting and linting use Biome. CI runs biome ci (the read-only CI mode); locally:

npm run lint        # biome ci .   — check only, fails on any issue
npm run lint:fix    # biome check --write .   — apply safe fixes + formatting

Configuration lives in biome.json. Generated files (index.js, index.d.ts, *.node) are excluded from checking.

Release

Releases publish to npm from GitHub Actions via Trusted Publisher (OIDC) with provenance. No NPM_TOKEN is stored in the repo; npmjs.com authenticates the workflow by its OIDC identity.

Workflow

.github/workflows/release.yml is triggered by pushing a tag matching node-qiitar-v*, or by manual workflow_dispatch. It:

  1. Builds aarch64-apple-darwin on macos-14 and x86_64-apple-darwin on macos-13 in parallel, running npm test on each.
  2. Uploads each .node artifact.
  3. From ubuntu-latest, downloads both artifacts and runs npm publish. publishConfig.provenance: true in package.json adds the provenance attestation automatically.

Cutting a release

cd crates/node-qiitar
npm version patch --tag-version-prefix=node-qiitar-v   # or minor / major
cd ../..
git push
git push --tags

npm version bumps package.json, commits, and creates a tag of the form node-qiitar-v0.1.1. Pushing the tag fires the workflow.

To cut a release manually, edit package.json, commit, then:

git tag node-qiitar-v0.2.0
git push origin main node-qiitar-v0.2.0

Verifying

After the workflow completes, the package page on npmjs.com/package/node-qiitar should show a "Built and signed on GitHub Actions" badge linking to the workflow run.

One-time setup notes

  • npm Trusted Publisher must be configured on the package's settings page, pointing at this repository's release.yml. Set up once; no maintenance after that.
  • Maintainers do not need npm NPM_TOKEN credentials for releases.