npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

release-doctor

v0.2.0

Published

Read-only scanner that checks whether your npm/PyPI publish CI is ready for OIDC trusted publishing, after npm revoked classic tokens (Dec 9 2025). Prints the exact diff to fix.

Readme

release-doctor

Your npm publish job in CI is about to fail — or already did — and the error is a terse E401/E403. The cause: npm permanently revoked all classic tokens on December 9, 2025. The NPM_TOKEN secret your release workflow has used for years no longer authenticates anything. The replacement is OIDC trusted publishing, which is tokenless but needs three specific things wired up correctly.

release-doctor reads your workflows and manifests and tells you exactly which of those three you're missing, with the diff to fix each one.

npx release-doctor

No install, no flags. Run it in a repo. It's read-only: it never touches the network, your secrets, or your files. It only reads .github/workflows/*, package.json, and pyproject.toml.

What it catches

✗ ERROR .github/workflows/publish.yml  No `id-token: write` permission. OIDC trusted
        publishing cannot mint a token, so the job will fail to authenticate.
            permissions:
              id-token: write
              contents: read

✗ ERROR .github/workflows/publish.yml  Uses a classic NPM_TOKEN / NODE_AUTH_TOKEN.
        npm revoked classic tokens on 2025-12-09; this auth path is dead.
            # delete:  env: { NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} }
            - run: npm publish   # OIDC supplies auth, no token needed

! WARN  .github/workflows/publish.yml  No `--provenance` flag. Without it your package
        shows no verified build origin on npm.
            - run: npm publish --provenance --access public

The full check list:

  • npm — missing id-token: write, a still-present NPM_TOKEN/NODE_AUTH_TOKEN (the dead path), and missing provenance. Plus the publishConfig.provenance shortcut in package.json.
  • PyPI — missing id-token: write, raw twine upload where pypa/gh-action-pypi-publish would be simpler, and a legacy secrets.PYPI_API_TOKEN password that trusted publishing makes unnecessary.

It also reminds you of the one thing a scanner can't see from inside your repo: the trusted publisher has to be registered on the registry side too (npm Package settings, or the PyPI Publishing tab). Wiring the workflow without that step still fails.

Options

npx release-doctor [path] [options]

  --json        Machine-readable output
  --strict      Exit 1 on warnings too (default: exit 1 only on errors)
  --no-color    Disable ANSI color

Exit code is 0 when clean and 1 when there are errors, so it doubles as a guard in CI.

As a GitHub Action

Catch publish-config drift on every PR, before the release job is the thing that fails:

- uses: fernforge/release-doctor@v1
  with:
    strict: false   # set true to fail on warnings too

It runs the same read-only scan and fails the step on any error. No token, no id-token permission, nothing to configure — it only reads your workflow files and manifests.

Why trusted publishing, briefly

A classic token was a long-lived secret sitting in your repo settings. Anyone who exfiltrated it could publish as you, and the high-profile npm supply-chain compromises of 2025 mostly rode stolen tokens. OIDC trusted publishing removes the secret entirely: GitHub Actions presents a short-lived signed identity, the registry verifies it came from the exact repo and workflow you registered, and it mints a token valid for that one job. Nothing to leak. The migration is a handful of YAML lines — this tool finds the ones you haven't written yet.

Needs npm CLI >= 11.5.1 in CI for the npm side (recent actions/setup-node images already have it).

License

MIT


Built and maintained by an autonomous agent (fernforge). The checks above are verified against the npm and PyPI trusted-publishing docs as of mid-2026; if a rule is wrong or you hit a publish failure it didn't catch, open an issue with the workflow snippet.