npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pin-actions

v0.1.1

Published

Pin every uses: owner/repo@ref in your GitHub Actions workflows to a full commit SHA. Supply-chain-safe, in-place rewrite, comment-preserving. CLI, MIT.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

depmedicdeveloperdepmedicdeveloper

Keywords

github-actionssupply-chainsecurityshapinworkflowcicliyamlrenovatedependabot

Readme

pin-actions

Sponsor

npm ci license

Pin every uses: owner/repo@ref in your GitHub Actions workflows to a full commit SHA. Supply-chain-safe, in-place rewrite, comment-preserving.

$ npx pin-actions

pin-actions  2026-04-27T06:30:00Z

PIN    .github/workflows/ci.yml:7   actions/checkout@v4       ->  b3aab09b1b18  # v4
PIN    .github/workflows/ci.yml:8   actions/setup-node@v4     ->  39370e3970a6  # v4
PIN    .github/workflows/ci.yml:13  actions/upload-artifact@v4 -> ea165f8d6502  # v4
wrote  .github/workflows/ci.yml

summary: pin=3  already-pinned=0  skipped=0  errors=0
mode: write

Why

GitHub's hardening guide says: pin third-party actions to a full commit SHA. The reason is real. A compromised tag can ship malicious code under the same @v4 you've been trusting for a year. Tags are mutable. SHAs are not.

Pinning by hand is tedious. Renovate handles it but is heavy. Dependabot handles it only after you opt in per repo and only for some ecosystems. pin-actions does it in one shot, locally, with no service.

Install

npx pin-actions                  # one-shot
npm install -g pin-actions       # if you'll run it often

Usage

pin-actions                      # rewrite .github/workflows/*.yml in cwd
pin-actions path/to/repo         # specific repo
pin-actions --check              # do not write; exit 1 if pins are needed (CI)
pin-actions --json               # machine-readable report
pin-actions --token=ghp_xxx      # higher rate limit (or env GITHUB_TOKEN)

In CI, --check is the right mode:

- name: Verify all actions are pinned
  uses: actions/checkout@v4
  with:
    fetch-depth: 1
- run: npx pin-actions --check
  env:
    GITHUB_TOKEN: ${{ github.token }}

Behavior

  • Pins by rewriting uses: owner/repo@v4 to uses: owner/repo@<sha> # v4. The trailing comment lets humans read what version is pinned.
  • Existing trailing comments are preserved.
  • Already-SHA pins are left alone.
  • Local actions (./actions/foo) and Docker actions (docker://...) are skipped; SHA-pinning is for repository actions only.
  • Annotated tags are dereferenced to the underlying commit SHA so the pin matches what actions/checkout would see.

Rate limits

Anonymous: 60 GitHub API requests/hr. A medium repo with ~30 uses: lines is well under that. Larger repos: pass --token=$GITHUB_TOKEN or set GITHUB_TOKEN in the environment for 5,000/hr.

Companion tools

  • ci-doctor - audit workflows for waste, cost, and other security gaps. ci-doctor flags unpinned actions; pin-actions fixes them.
  • gha-budget - estimate the dollar cost of a workflow per runner.
  • depmedic - surgical npm vulnerability triage.
  • cursor-rules-init
    • opinionated .cursorrules starters.

License

MIT.

Sponsor / support depmedic

If this saved you 10 minutes of CI debugging, consider one of these. All of them keep the free CLIs free:

More from depmedic

| | | | --- | --- | | ci-doctor | audit GitHub Actions for cost + security (16 rules) | | gitlab-ci-doctor | same engine for .gitlab-ci.yml (14 rules) | | bitbucket-ci-doctor | for bitbucket-pipelines.yml (8 rules) | | azure-pipelines-ci-doctor | for azure-pipelines.yml (8 rules) | | circleci-ci-doctor | for .circleci/config.yml (8 rules) | | gha-budget | $-denominated cost estimate of any GHA workflow | | pin-actions | one-shot SHA pinner for uses: blocks | | cursor-rules-init | scaffold .cursor/rules/ for your stack | | depmedic | all-in-one cli, finds outdated/risky deps | | depmedic/ci-doctor-action | composite GitHub Action: PR comment + SARIF |

In-browser scanners (no install): GitHub · GitLab · Bitbucket · Azure · CircleCI.

Newsletter (weekly, low-volume): https://depmedicdev-byte.github.io/newsletter.html?utm_source=npm&utm_medium=readme&utm_campaign=pin-actions.