Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
@scarf/scarf
Advanced tools
Readme
Scarf is like Google Analytics for your npm packages. By sending some basic details after installation, this package can help you can gain insights into how your packages are used and by which companies. Scarf aims to help support open-source developers fund their work when used commercially.
To read more about why we wrote this library, check out this post on the topic.
You'll first need to create a library entry on Scarf. Once created, add a dependency on this library to your own:
npm i --save @scarf/scarf
Once your library is published to npm with this change, Scarf will automatically collect stats on install, no additional code is required!
Head to your package's dashboard on Scarf to see your reports when available.
Users of your package will be opted in by default and can opt out by setting the
SCARF_ANALYTICS=false
environment variable. If you'd Scarf analytics to
instead be opt-in, you can set this by adding an entry to your package.json
// your-package/package.json
{
// ...
"scarfSettings": {
"defaultOptIn": false
}
// ...
}
Scarf will now be opt-out by default, and users can set SCARF_ANALYTICS=true
to opt in.
Regardless of the default state, Scarf will log what it is doing to users who haven't explictly opted in or out.
@org/package-name
,
which are assumed to be private):
Scarf's analytics help support developers of the open source packages you are
using, so enabling analytics is appreciated. However, if you'd like to opt out,
you can add your preference to your project's package.json
:
// your-package/package.json
{
// ...
"scarfSettings": {
"enabled": false
}
// ...
}
Alternatively, you can set this variable in your environment:
export SCARF_ANALYTICS=false
Either route will disable Scarf for all packages.
Setting the environment variable SCARF_LOCAL_PORT=8080
will configure Scarf to
use http://localhost:${SCARF_LOCAL_PORT} as the analytics endpoint host.
Future releases of scarf-js will provide a module of utility functions to collect usage analytics in addition to the current installation analytics.
FAQs
Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.
The npm package @scarf/scarf receives a total of 342,995 weekly downloads. As such, @scarf/scarf popularity was classified as popular.
We found that @scarf/scarf demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.