Big update!Introducing GitHub Bot Commands. Learn more
Log inDemoInstall


Package Overview
File Explorer

Advanced tools


Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.


Version published
Weekly downloads
increased by2.66%

Weekly downloads




npm version Join the Scarf Community Slack

Scarf is like Google Analytics for your npm packages. By sending some basic details after installation, this package can help you can gain insight into how your packages are used and by which companies. Scarf aims to help open-source developers fund their work when it is used commercially.

To read more about why we wrote this library, check out this post on the topic.


  • No dependencies.
  • Fully transparent to the user. Scarf will log its behavior to the console during installation. It will never silently report analytics for someone that hasn't explictly given permission to do so.
  • Never interrupts your package installation. Reporting is done on a best effort basis.


You'll first need to create a library entry on Scarf. Once created, add a dependency on this library to your own:

npm i --save @scarf/scarf

Once your library is published to npm with this change, Scarf will automatically collect stats on install, no additional code is required!

Head to your package's dashboard on Scarf to see your reports when available.


Users of your package will be opted in by default and can opt out by setting the SCARF_ANALYTICS=false environment variable. If you'd like Scarf analytics to instead be opt-in, you can set this by adding an entry to your package.json

// your-package/package.json { // ... "scarfSettings": { "defaultOptIn": false } // ... }

Scarf will now be opt-out by default, and users can set SCARF_ANALYTICS=true to opt in.

Regardless of the default state, Scarf will log what it is doing to users who haven't explictly opted in or out.

By default, scarf-js will only trigger analytics when your package is installed as a dependency of another package, or is being installed globally. This ensures that scarf-js analytics will not be triggered on npm install being run within your project. To change this, you can add:

// your-package/package.json { // ... "scarfSettings": { "allowTopLevel": true } // ... }


What information does scarf-js provide me as a package author?
  • Understanding your user-base
    • Which companies are using your package?
    • Is your project growing or shrinking? Where? On which platforms?
  • Which versions of your package are being used?
As a user of a package using scarf-js, what information does scarf-js send about me?

Scarf does not store personally identifying information. Scarf aims to collect information that is helpful for:

  • Package maintainence
  • Identifying which companies are using a particular package, in order to set up support agreements between developers and companies.

Specifically, scarf-js sends:

  • The operating system you are using
  • Your IP address will be used to look up any available company information. Scarf does not store the actual IP address
  • Limited dependency tree information. Scarf sends the name and version of the package(s) that directly depend on scarf-js. Additionally, scarf-js will send SHA256-hashed name and version for the following packages in the dependency tree:
    • Packages that depend on a package that depends on scarf-js.
    • The root package of the dependency tree. This allows Scarf to provide information for maintainers about which public packages are using their own, without exposing identifying details of non-public packages.

You can have scarf-js print the exact JSON payload it sends by setting SCARF_VERBOSE=true in your environment.

As a user of a package using scarf-js, how can I opt out of analytics?

Scarf's analytics help support developers of the open source packages you are using, so enabling analytics is appreciated. However, if you'd like to opt out, you can add your preference to your project's package.json:

// your-package/package.json { // ... "scarfSettings": { "enabled": false } // ... }

Alternatively, you can set this variable in your environment:

export SCARF_ANALYTICS=false

Either route will disable Scarf for all packages.

I distribute a package on npm, and scarf-js is in our dependency tree. Can I disable the analytics for my downstream dependents?

Yes. By opting out of analytics via package.json, any package upstream will have analytics disbabled.

// your-package/package.json { // ... "scarfSettings": { "enabled": false } // ... }

Installers of your packages will have scarf-js disabled for all dependencies upstream from yours.


Setting the environment variable SCARF_LOCAL_PORT=8080 will configure Scarf to use http://localhost:8080 as the analytics endpoint host.

Future work

Future releases of scarf-js will provide a module of utility functions to collect usage analytics in addition to the current installation analytics.


Join the Scarf-Community workspace on Slack and find us in the #scarf-js channel. We'll keep an eye out for your questions and concerns.


What is @scarf/scarf?

Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.

Is @scarf/scarf popular?

The npm package @scarf/scarf receives a total of 296,297 weekly downloads. As such, @scarf/scarf popularity was classified as popular.

Is @scarf/scarf well maintained?

We found that @scarf/scarf demonstrated a not healthy version release cadence and project activity because the last version was released a year ago.It has 1 open source maintainer collaborating on the project.

Last updated on 05 Jun 2021

Did you know?

Socket installs a Github app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.

Install Socket
Socket[email protected]


Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc