Socket
Socket
Sign inDemoInstall

@scarf/scarf

Package Overview
Dependencies
0
Maintainers
1
Versions
26
Alerts
File Explorer

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

@scarf/scarf

Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.


Version published
Maintainers
1
Weekly downloads
273,492
decreased by-28.16%

Weekly downloads

Readme

Source

scarf-js

npm version

Scarf is like Google Analytics for your npm packages. By sending some basic details after installation, this package can help you can gain insights into how your packages are used and by which companies. Scarf aims to help support open-source developers fund their work when used commercially.

To read more about why we wrote this library, check out this post on the topic.

Features

  • No dependencies
  • Fully transparent to the user. Scarf will log it's behavior to the console during installation. It will never silently report analytics for someone that hasn't explictly given permission to do so.
  • Never interrupts your package installation. Reporting is done on a best effort basis.

Installing

You'll first need to create a library entry on Scarf. Once created, add a dependency on this library to your own:

npm i --save @scarf/scarf

Once your library is published to npm with this change, Scarf will automatically collect stats on install, no additional code is required!

Head to your package's dashboard on Scarf to see your reports when available.

Configuration

Users of your package will be opted in by default and can opt out by setting the SCARF_ANALYTICS=false environment variable. If you'd Scarf analytics to instead be opt-in, you can set this by adding an entry to your package.json

// your-package/package.json

{
  // ...
  "scarfSettings": {
    "defaultOptIn": false
  }
  // ...
}

Scarf will now be opt-out by default, and users can set SCARF_ANALYTICS=true to opt in.

Regardless of the default state, Scarf will log what it is doing to users who haven't explictly opted in or out.

What information does Scarf provide me as a package author?

  • Understanding your user-base
    • Which companies are using your package?
    • Is your project growing or shrinking? Where? On which platforms?
  • Which versions of your package are being used?

As a user of a package using Scarf, what information does Scarf send about me?

  • The operating system you are using
  • Your IP address will be used to look up any available company information. The IP address itself will be subsequently deleted.
  • Limited dependency tree information. Scarf sends the package name and version for certain packages (provided they are not scoped packages, @org/package-name, which are assumed to be private):
    • Packages in the dependency tree that directly depend on Scarf.
    • Packages that depend on a package that depends on Scarf.
    • The root package of the dependency tree.

As a user of a package using Scarf, how can I opt out of analytics?

Scarf's analytics help support developers of the open source packages you are using, so enabling analytics is appreciated. However, if you'd like to opt out, you can add your preference to your project's package.json:

// your-package/package.json

{
  // ...
  "scarfSettings": {
    "enabled": false
  }
  // ...
}

Alternatively, you can set this variable in your environment:

export SCARF_ANALYTICS=false

Either route will disable Scarf for all packages.

Developing

Setting the environment variable SCARF_LOCAL_PORT=8080 will configure Scarf to use http://localhost:8080 as the analytics endpoint host.

Future work

Future releases of scarf-js will provide a module of utility functions to collect usage analytics in addition to the current installation analytics.

FAQs

Last updated on 08 May 2020

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc