Gathering detailed insights and metrics for @scarf/scarf
Gathering detailed insights and metrics for @scarf/scarf
Installations
npm install @scarf/scarfDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
21.0.0
NPM Version
10.2.0
Releases
Unable to fetch releases
Languages
2
JavaScript
Shell
JavaScript (99.39%)
Shell (0.61%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
Apache-2.0 License
165 Stars
102 Commits
13 Forks
8 Watchers
11 Branches
10 Contributors
Updated on Jun 10, 2025
Maintainers
2
Package Meta Information
Latest Version
1.4.0
Package Id
@scarf/scarf@1.4.0
Unpacked Size
37.74 kB
Size
12.14 kB
File Count
4
NPM Version
10.2.0
Node Version
21.0.0
Published on
Nov 06, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
scarf-js
Scarf is like Google Analytics for your npm packages. By sending some basic details after installation, this package can help you can gain insight into how your packages are used and by which companies. Scarf aims to help open-source developers fund their work when it is used commercially.
To read more about why we wrote this library, check out this post on the topic.
Features
- No dependencies.
- Fully transparent to the user. Scarf will log its behavior to the console during installation. It will never silently report analytics for someone that hasn't explictly given permission to do so.
- Never interrupts your package installation. Reporting is done on a best effort basis.
Installing
You'll first need to create a library entry on Scarf. Once created, add a dependency on this library to your own:
1npm i --save @scarf/scarf
Once your library is published to npm with this change, Scarf will automatically collect stats on install, no additional code is required!
Head to your package's dashboard on Scarf to see your reports when available.
Configuring
Users of your package will be opted in by default and can opt out by setting the
SCARF_ANALYTICS=false environment variable. If you'd like Scarf analytics to
instead be opt-in, you can set this by adding an entry to your package.json
1// your-package/package.json 2 3{ 4 // ... 5 "scarfSettings": { 6 "defaultOptIn": false 7 } 8 // ... 9}
Scarf will now be opt-out by default, and users can set SCARF_ANALYTICS=true
to opt in.
Regardless of the default state, Scarf will log what it is doing to users who haven't explictly opted in or out.
By default, scarf-js will only trigger analytics when your package is installed as a dependency of another package, or is being installed globally. This ensures that scarf-js analytics will not be triggered on npm install being run within your project. To change this, you can add:
1// your-package/package.json 2 3{ 4 // ... 5 "scarfSettings": { 6 "allowTopLevel": true 7 } 8 // ... 9}
Full Configuration Example
1// your-package/package.json 2 3{ 4 // ... 5 "scarfSettings": { 6 // Toggles whether Scarf is enabled for this package 7 "enabled": true, 8 // Enables Scarf when users run npm install directly in your repository 9 // Scarf will try to report the Git commit SHA of your repository if it can 10 // be obtained. 11 "allowTopLevel": true, 12 // Users will be opted into analytics by default 13 "defaultOptIn": true, 14 // By default, Scarf searches for its own location in your build's dependency 15 // graph to ensure reporting can be done for all packages using Scarf. 16 // For large projects with lots of dependencies, generating that dependency 17 // graph takes more time than Scarf allots for its entire process, so Scarf 18 // will always time out. `skipTraversal` is an optional flag for large 19 // applications to skip that traversal entirely. Use this flag with caution and 20 // care, as it will break Scarf analytics for all other packages you depend 21 // on in your build. 22 "skipTraversal": false 23 } 24 // ... 25}
FAQ
What information does scarf-js provide me as a package author?
- Understanding your user-base
- Which companies are using your package?
- Is your project growing or shrinking? Where? On which platforms?
- Which versions of your package are being used?
As a user of a package using scarf-js, what information does scarf-js send about me?
Scarf does not store personally identifying information. Scarf aims to collect information that is helpful for:
- Package maintainence
- Identifying which companies are using a particular package, in order to set up support agreements between developers and companies.
Specifically, scarf-js sends:
- The operating system you are using
- Your IP address will be used to look up any available company information. Scarf does not store the actual IP address
- Limited dependency tree information. Scarf sends the name and version of the package(s) that directly depend on scarf-js. Additionally, scarf-js will send SHA256-hashed name and version for the following packages in the dependency tree:
- Packages that depend on a package that depends on scarf-js.
- The root package of the dependency tree. This allows Scarf to provide information for maintainers about which public packages are using their own, without exposing identifying details of non-public packages.
You can have scarf-js print the exact JSON payload it sends by setting SCARF_VERBOSE=true in your environment.
As a user of a package using scarf-js, how can I opt out of analytics?
Scarf's analytics help support developers of the open source packages you are
using, so enabling analytics is appreciated. However, if you'd like to opt out,
you can add your preference to your project's package.json:
1// your-package/package.json 2 3{ 4 // ... 5 "scarfSettings": { 6 "enabled": false 7 } 8 // ... 9}
Alternatively, you can set this variable in your environment:
1export SCARF_ANALYTICS=false
You can also set this variable in accordance to the Console Do Not Track standard:
1export DO_NOT_TRACK=1
Either route will disable Scarf for all packages.
I distribute a package on npm, and scarf-js is in our dependency tree. Can I disable the analytics for my downstream dependents?
Yes. By opting out of analytics via package.json, any package upstream will have analytics disbabled.
1// your-package/package.json 2 3{ 4 // ... 5 "scarfSettings": { 6 "enabled": false 7 } 8 // ... 9}
Installers of your packages will have scarf-js disabled for all dependencies upstream from yours.
Developing
Setting the environment variable SCARF_LOCAL_PORT=8080 will configure Scarf to
use http://localhost:8080 as the analytics endpoint host.
Future work
Future releases of scarf-js will provide a module of utility functions to collect usage analytics in addition to the current installation analytics.
Community
Join the Scarf-Community workspace on Slack and find us in the #scarf-js channel. We'll keep an eye out for your questions and concerns.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
Found 15/18 approved changesets -- score normalized to 8
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/scarf-sh/scarf-js/main.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/scarf-sh/scarf-js/main.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/scarf-sh/scarf-js/main.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/scarf-sh/scarf-js/main.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/scarf-sh/scarf-js/main.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/scarf-sh/scarf-js/main.yml/master?enable=pin
- Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/main.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 29 are checked with a SAST tool
Reason
12 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-5fw9-fq32-wv5p
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
3.7
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More