Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
@scarf/scarf
Advanced tools
Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.
Scarf is like Google Analytics for your npm packages. By sending some basic details after installation, this package can help you can gain insight into how your packages are used and by which companies. Scarf aims to help open-source developers fund their work when it is used commercially.
To read more about why we wrote this library, check out this post on the topic.
You'll first need to create a library entry on Scarf. Once created, add a dependency on this library to your own:
npm i --save @scarf/scarf
Once your library is published to npm with this change, Scarf will automatically collect stats on install, no additional code is required!
Head to your package's dashboard on Scarf to see your reports when available.
Users of your package will be opted in by default and can opt out by setting the
SCARF_ANALYTICS=false
environment variable. If you'd like Scarf analytics to
instead be opt-in, you can set this by adding an entry to your package.json
// your-package/package.json
{
// ...
"scarfSettings": {
"defaultOptIn": false
}
// ...
}
Scarf will now be opt-out by default, and users can set SCARF_ANALYTICS=true
to opt in.
Regardless of the default state, Scarf will log what it is doing to users who haven't explictly opted in or out.
By default, scarf-js will only trigger analytics when your package is installed as a dependency of another package, or is being installed globally. This ensures that scarf-js analytics will not be triggered on npm install
being run within your project. To change this, you can add:
// your-package/package.json
{
// ...
"scarfSettings": {
"allowTopLevel": true
}
// ...
}
// your-package/package.json
{
// ...
"scarfSettings": {
// Toggles whether Scarf is enabled for this package
"enabled": true,
// Enables Scarf when users run npm install directly in your repository
// Scarf will try to report the Git commit SHA of your repository if it can
// be obtained.
"allowTopLevel": true,
// Users will be opted into analytics by default
"defaultOptIn": true,
// By default, Scarf searches for its own location in your build's dependency
// graph to ensure reporting can be done for all packages using Scarf.
// For large projects with lots of dependencies, generating that dependency
// graph takes more time than Scarf allots for its entire process, so Scarf
// will always time out. `skipTraversal` is an optional flag for large
// applications to skip that traversal entirely. Use this flag with caution and
// care, as it will break Scarf analytics for all other packages you depend
// on in your build.
"skipTraversal": false
}
// ...
}
Scarf does not store personally identifying information. Scarf aims to collect information that is helpful for:
Specifically, scarf-js sends:
You can have scarf-js print the exact JSON payload it sends by setting SCARF_VERBOSE=true
in your environment.
Scarf's analytics help support developers of the open source packages you are
using, so enabling analytics is appreciated. However, if you'd like to opt out,
you can add your preference to your project's package.json
:
// your-package/package.json
{
// ...
"scarfSettings": {
"enabled": false
}
// ...
}
Alternatively, you can set this variable in your environment:
export SCARF_ANALYTICS=false
You can also set this variable in accordance to the Console Do Not Track standard:
export DO_NOT_TRACK=1
Either route will disable Scarf for all packages.
Yes. By opting out of analytics via package.json
, any package upstream will have analytics disbabled.
// your-package/package.json
{
// ...
"scarfSettings": {
"enabled": false
}
// ...
}
Installers of your packages will have scarf-js disabled for all dependencies upstream from yours.
Setting the environment variable SCARF_LOCAL_PORT=8080
will configure Scarf to
use http://localhost:8080 as the analytics endpoint host.
Future releases of scarf-js will provide a module of utility functions to collect usage analytics in addition to the current installation analytics.
Join the Scarf-Community workspace on Slack and find us in the #scarf-js channel. We'll keep an eye out for your questions and concerns.
FAQs
Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.
The npm package @scarf/scarf receives a total of 641,707 weekly downloads. As such, @scarf/scarf popularity was classified as popular.
We found that @scarf/scarf demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.