npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

plop-pack-git-commit

v0.1.0

Published

PlopJS action pack to stage, commit, and push changes with git

Readme

plop-pack-git-commit

PlopJS action pack that stages changes, creates a git commit, and pushes to origin.

Inspired by plop-pack-git-init, but focused on committing existing or generated files in an already initialized repository.

Installation

pnpm add plop-pack-git-commit
# or
npm i plop-pack-git-commit

Usage

module.exports = function (plop) {
  plop.load("plop-pack-git-commit");

  plop.setGenerator("example", {
    prompts: [],
    actions: [
      {
        type: "add",
        path: "notes/{{name}}.md",
        template: "# {{name}}\n",
      },
      {
        type: "gitCommit",
        path: process.cwd(),
        message: "docs: add {{name}} note",
        files: "notes/{{name}}.md",
      },
    ],
  });
};

Commit specific file(s)

{
  type: "gitCommit",
  path: process.cwd(),
  message: "docs: add contact note",
  files: "notes/contacto.md",
}

files accepts a string or an array of strings.

Commit everything pending

{
  type: "gitCommit",
  path: process.cwd(),
  message: "chore: sync generated files",
  all: true,
}

This runs git add -A before committing.

Options

| Option | Type | Default | Description | |--------|------|---------|-------------| | path | string | process.cwd() | Repository path | | message | string | required | Commit message | | files | string \| string[] | — | Stage only these paths | | all | boolean | — | Stage all changes with git add -A | | verbose | boolean | false | Stream git output to the terminal | | skipEmpty | boolean | true | Resolve instead of failing when there is nothing to commit |

Provide either files or all: true. They are mutually exclusive.

Push behavior

After a successful commit, the action always runs:

git push origin HEAD
  • If there was nothing to commit (skipEmpty), push is skipped.
  • If origin is missing or push fails, the action resolves with a warning instead of failing the generator. The commit remains local.

Schema export

You can validate action configs outside Plop:

import { gitCommitConfigSchema } from "plop-pack-git-commit";

const result = gitCommitConfigSchema.safeParse({
  path: process.cwd(),
  message: "feat: add generator output",
  all: true,
});

Requirements

  • git available in PATH
  • Git user identity configured (user.name, user.email)
  • Remote origin configured when you expect push to succeed

Development

pnpm install
pnpm check   # lint + test + build
pnpm lint
pnpm test
pnpm build

GitHub Actions

| Workflow | Trigger | Purpose | |----------|---------|---------| | CI | push/PR to main | lint, test, build | | Security audit | push/PR + weekly | pnpm audit fails on high/critical | | Dependency review | pull requests | blocks PRs that add vulnerable deps | | CodeQL | push/PR + weekly | static analysis for TypeScript/JavaScript | | Release | GitHub Release published | verify tag, pnpm check, publish to npm |

Dependabot opens weekly PRs to update dependencies.

Security releases (automated)

When a Dependabot security PR is merged to main:

  1. Security release prepare checks:
    • PR author is dependabot[bot]
    • PR body/labels reference security advisories (GHSA/CVE)
    • pnpm audit shows fewer vulnerabilities than before the merge
  2. If all pass, it opens a review PR (security-release/x.y.z) that bumps the patch version (z) and prepends a Security section to CHANGELOG.md (packages, versions, advisories).
  3. If audit does not improve, no release PR is created.
  4. When you merge the security release PR, Security release publish tags vx.y.z, creates a GitHub Release titled Security release x.y.z, and publishes to npm.

Manual feature releases still use the Release workflow (GitHub Release UI). Bot-authored security releases use the dedicated publish workflow to avoid duplicate npm publishes.

Releasing to npm (manual)

  1. Bump version in package.json (e.g. 0.1.1).
  2. Commit, push to main, and create a GitHub Release with tag v0.1.1 (must match package.json).
  3. The Release workflow runs pnpm check and publishes with npm provenance.

Repository secret required:

| Secret | Purpose | |--------|---------| | NPM_TOKEN | npm automation token with publish access to this package |

Enable Dependabot alerts and Code scanning under repository Settings → Code security.

License

MIT