npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ntrust

v0.1.0

Published

Batch-manage npm trusted publishing relationships for monorepo packages

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

yjl9903yjl9903

Keywords

npmtrusted-publishgithub-actionsgitlab-ci

Readme

ntrust

version CI

Batch-manage npm trusted publishing relationships for monorepo packages.

  • Batch-managing trusted publishing relationships
  • Discovering publishable packages from pnpm workspace
  • Inferring GitHub repository and actions workflow file

Installation

$ npx ntrust
# npm         11.10.0 (mise)
# provider    github
# repository  yjl9903/ntrust
# workflow    release.yml
# packages    ntrust

# Proceed to grant trusted publishing relationships? [Y/n]: Y

# $ mise exec npm@^11.10.0 -- npm trust list --json ntrust
# id    eebc175d-4720-4fc8-a31a-6491ca36fb47
# type  github
# repo  yjl9903/ntrust
# file  release.yml

Usage

# trust all publishable packages discovered from pnpm-workspace.yaml
$ ntrust

# trust selected package folders / package.json files
$ ntrust packages/core packages/cli

# force GitHub provider and override inferred repo / file
$ ntrust github --repo your-org/your-repo --file release.yml

# list trusted relationships
$ ntrust list

# revoke trusted relationships
$ ntrust revoke
Batch-manage npm trusted publishing relationships for monorepo packages

Usage: ntrust [COMMAND] [OPTIONS]

Commands:
  ntrust                    Batch-create npm trusted publishing relationships for monorepo packages
  ntrust github [...files]  Batch-create npm trusted publishing relationships between packages and GitHub actions
  ntrust gitlab [...files]  Batch-create npm trusted publishing relationships between packages and GitLab CI/CD
  ntrust list [...files]    Batch-list trusted relationships
  ntrust revoke [...files]  Batch-revoke trusted relationships

Options:
      --file <name>     Name of trust pipeline file
      --repo <name>     Name of trust repository
      --env <name>      CI environment name for npm trust claim
      --registry <url>  The base URL of the npm registry
      --mise            Use mise to run npm command
      --dry-run         Show what would be done
  -y, --yes             Automatically answer "yes" to any prompts
  -C, --dir <dir>       Specify dir to run command
  -h, --help            Print help
  -v, --version         Print version

Example

  1. Your pnpm workspace monorepo may be like:
# pnpm-workspace.yaml
packages:
  - packages/*
// packages/pkg-a/package.json
{
  "name": "@your-org/pkg-a",
  "version": "1.0.0",
  "private": false
}

ntrust ignores private: true packages when discovering publish targets.

  1. Create GitHub actions file .github/workflows/release.yml to publish npm package.
name: Release

on:
  push:
    tags:
      - 'v*'

jobs:
  release:
    runs-on: ubuntu-latest

    permissions:
      contents: write
      id-token: write

    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Setup pnpm
        uses: pnpm/[email protected]

      - uses: actions/setup-node@v6
        with:
          node-version: 24.13.1
          cache: pnpm
          registry-url: "https://registry.npmjs.org"

      - name: Install dependencies
        run: pnpm install

      - name: Build packages
        run: pnpm build

      - name: Publish packages
        run: pnpm -r publish --provenance --no-git-checks
  1. Run ntrust command to setup trust publishing relationship.

The workflow file above can be inferred automatically by ntrust to .github/workflows/release.yml.

$ npx ntrust
# npm         11.10.0 (mise)
# provider    github
# repository  yjl9903/ntrust
# workflow    release.yml
# packages    ntrust

# Proceed to grant trusted publishing relationships? [Y/n]: Y

# $ mise exec npm@^11.10.0 -- npm trust list --json ntrust
# id    eebc175d-4720-4fc8-a31a-6491ca36fb47
# type  github
# repo  yjl9903/ntrust
# file  release.yml
  1. After theses setup steps, you only need to push a tag like v1.0.0 (i.e. use bumpp) to trigger GitHub actions publishing your monorepo packages without any extra auth config.
bumpp package.json packages/*/package.json --commit --push --tag

References

License

MIT License © 2026 XLor