npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vart-cli

v1.1.0

Published

vart - cli anti-alteration tool for text-based everything.

Readme

vart (cli)

img

vart (verify article) is a small command-line tool for creating encrypted identities and signing/verifying text articles inside the vart ecosystem. the project uses a hybrid model:

  • private data (identities, private metadata) is encrypted with a master secret.
  • public fingerprints and optional authority signatures are embedded so others can perform public verification without the master secret.

https://vart.vercel.app/


installation

install from npm (global):

npm install -g vart-cli
# or from source during development:
npm install -g .

there's also a provided installer for unix-like systems:

./install-vart.sh

the installer bootstraps a persisted master secret at ~/.vart_master_secret if none is provided. do not commit that file.


quick start

  1. initialize authority keys (optional, creates an authority keypair under ~/.vart/):
vart init
  1. register an identity (interactive):
vart reg

or non-interactive:

vart reg --name "alice example" --email "[email protected]" --verify "https://example.com/alice.txt"
  1. sign an article:
vart sign article.txt alice.vart
  1. public verification (anyone, no master secret required):
vart verify-public alice.vart
  1. full verification (requires master secret to decrypt identity details):
vart verify alice.vart
  1. export a signed article's plaintext:
vart export article.vart [output.txt]
  1. show info about a .vart file:
vart info file.vart
  1. join an organization (writer + org .vart files):
vart join writer.vart org.vart
  1. check trust via verification URLs embedded in an identity:
vart trust alice.vart
  1. view local configuration status:
vart status

environment variables

recommended runtime configuration options:

  • MASTER_SECRET_HEX — preferred. a 64-char hex string representing the master secret. if provided, this is used instead of generating/persisting a file.
  • MASTER_SECRET_FILE — optional path to persisted secret (default: ~/.vart_master_secret).
  • AUTHORITY_PUBLIC_KEY_PEM — optional. authority public key pem text (used for public verification).
  • AUTHORITY_PRIVATE_KEY_PEM — optional. authority private key pem text (used to sign fingerprints at registration).
  • AUTHORITY_NAME — optional friendly name for the authority (default: VART-Authority).

note: it's safer to store secrets in a secret manager (vault, aws secrets manager) and set MASTER_SECRET_HEX in the runtime environment.


file format (brief)

a .vart file is a json wrapper:

{
  "type": "identity" | "signed_article",
  "version": "1.0",
  "data": "<encrypted-hex-string>",
  "public": {
    "authority": "<authority-name>",
    "authorityPublicKey": "<pem or null>",
    "fingerprint": "<sha256-hex>",
    "authoritySignature": "<base64 or null>",
    "signedAt": "<timestamp>"
  }
}
  • data is the ciphertext (aes-256-gcm hex format).
  • public.fingerprint is the canonical sha256 fingerprint of the canonicalized identity (stable key ordering).
  • authoritySignature is present only if the identity was signed by the authority private key.

why authority signature can be null

if you see authoritySignature: null it means the identity was created without the authority private key available (or signing failed). public verification will not be possible until the signature is added.

options to fix:

  • run vart init to generate authority keys and re-register the identity with AUTHORITY_PRIVATE_KEY_PEM present; or
  • sign the existing .vart file in-place using your authority private key (there's a helper script in the repo examples, or you can call the sign-vart-file.js approach described in docs).

troubleshooting

  • "authority signature is null": ensure AUTHORITY_PRIVATE_KEY_PEM is present in the same shell and valid, or run vart init and re-register/sign the file.
  • "decryption failed": most likely wrong MASTER_SECRET_HEX or different persisted secret. confirm MASTER_SECRET_HEX or the persisted file at ~/.vart_master_secret.
  • fetch/trust checks timing out or failing: network fetches have a timeout and max size; ensure URLs are reachable and returning expected content.

contributing & tests

please add unit tests for:

  • encrypt/decrypt round trips
  • register -> verify-public -> verify (full)
  • sign -> verify-article

setup ci to run tests and scan for accidental secrets (git-secrets or similar).


license

see LICENSE.md