Gathering detailed insights and metrics for name-your-contributors
Installations
npm install name-your-contributorsDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=10.0.0
Node Version
18.7.0
NPM Version
6.14.18
Score
59
Supply Chain
91.4
Quality
77.3
Maintenance
25
Vulnerability
99.6
License
Releases
10
Contributors
6
Unable to fetch Contributors
Languages
1
JavaScript
JavaScript (100%)
Developer
mntnr
Download Statistics
Total Downloads
14,380
Last Day
3
Last Week
22
Last Month
99
Last Year
1,105
GitHub Statistics
74 Stars
250 Commits
19 Forks
4 Watching
3 Branches
6 Contributors
Bundle Size
71.26 kB
Minified
23.53 kB
Minified + Gzipped
Maintainers
3
Package Meta Information
Latest Version
3.10.0
Package Id
name-your-contributors@3.10.0
Unpacked Size
66.94 kB
Size
21.24 kB
File Count
17
NPM Version
6.14.18
Node Version
18.7.0
Publised On
15 Jul 2023
Total Downloads
Cumulative downloads
Total Downloads
14,380
Last day
-70%
3
Compared to previous day
Last week
-58.5%
22
Compared to previous week
Last month
141.5%
99
Compared to previous month
Last year
-26.9%
1,105
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
name-your-contributors
Name your GitHub contributors; get commits, issues, and comments
name-your-contributors gets all of the code reviewers, commenters, issue and PR creators from your organization or repo.
Table of Contents
Background
NYC started as a means of showing who has been active in a repository or an org over a certain period of time. Originally it was used to populate people for the IPFS newsletter - every week, I would run it again to show new contributions. GitHub doesn't count a lot of contributions as contributions, instead looking at commits alone. NYC looks at all of your community, and logs who did what.
It spits out to a JSON object, because that's the most portable system for using it elsewhere with the formatting you need. It also uses GraphQL to cut down on the amount of queries, as it is pretty intensive otherwise.
Contributors
These people have helped make Name Your Contributors:
- @Berkmann18
- @RichardLitt
- @daviddias
- @dignifiedquire
- @gr2m
- @greenkeeper
- @jbenet
- @jozefizso
- @jywarren
- @kentcdodds
- @tgetgood
- @waldyrious
Using the jq JSON parsing library (you can use your own), this list was autogenerated like this:
1node src/cli.js -u mntnr -r name-your-contributors | jq '[ .[][].login | " - [@ \(.)](https://github.com/\(.))"]' | jq unique | jq -r .[]
Which is a whole lot more useful than manually looking for contributors!
Install
1$ npm install --save name-your-contributors
API Limits and setting up a GitHub Token
You also need to get a GitHub Personal Access token, you can
create one here.
It needs to have the read:org and the user:email scopes in order to function
properly. Name the token something informative: name-your-contributors is a
good name.
Set the token with the variable name $GITHUB_TOKEN before running the script:
1$ export GITHUB_TOKEN=ab34e...
You can also set the var automatically in every session by adding the above line
to your .bashrc file in your home directory.
The cost of querying a repo is approximately the number of PRs + the number of issues + the number of comments with reactions (if querying reactions) + the number of commits / 100 (if querying commit log).
So in the simplest case it's simply the total number of issues and PRs in the repos being queried.
Caveats
GitHub regulates API traffic by a credit system. The limits are quite high; it's
permitted to query hundreds of repos per hour using the repoContributors
function, but some organisations have many hundreds of repos, and a single call
to orgContributors could potentially exhaust your entire hourly quota. The
WikiMedia Foundation is a good example of an org with way too many repos for
this app to handle.
Unfortunately filtering by contributions before or after a given date has no effect on quota use, since the data still needs to be queried before it can be filtered.
For more details on rate limits, see https://developer.github.com/v4/guides/resource-limitations/.
Usage
From Code
1const nyc = require('name-your-contributors')
2
3nyc.repoContributors({
4 token: process.env.GITHUB_TOKEN,
5 user: 'mntnr',
6 repo: 'name-your-contributors',
7 before: new Date(),
8 after: new Date(0)
9}).then(
10 //do something with the results
11)
12
13nyc.orgContributors({
14 token: process.env.GITHUB_TOKEN,
15 orgName: 'ipfs',
16 before: '2017-01-01',
17 after: '2016-01-01'
18}).then(...)From the Command Line
1# Install the program 2$ npm install -g name-your-contributors 3 4# Make sure that a token is enabled - you can also save this in your .env 5$ export GITHUB_TOKEN={your-token} 6 7# Get all contributors to mntnr/name-your-contributors. Log to stdout. 8$ name-your-contributors -u mntnr -r name-your-contributors 9 10# Or, get all contributors to an org after a certain date, in a file 11$ name-your-contributors -o ipfs -a 2017-01-01 > ipfs-contrib.json 12 13# Use a config instead of specifying using CLI arguments - easier for repetitive use 14$ name-your-contributors --config config.json > combined-out.json 15 16# Print the help docs! 17$ name-your-contributors --help 18 19 Name your GitHub contributors; get commits, issues, and comments 20 21 Usage 22 $ name-your-contributors <input> [opts] 23 24 Options 25 -t, --token - GitHub auth token to use 26 -a, --after - Get contributions after date 27 -b, --before - Get contributions before data 28 29 -o, --org - Search all repos within this organisation 30 -r, --repo - Repository to search 31 -u, --user - User to which repository belongs 32 -c, --config - Operate from config file. In this mode only token, verbose, and 33 debug flags apply. 34 35 --full - Returns the full tree of contributions rather than the default 36 synopsis. 37 --csv - Output data in CSV format 38 39 --commits - Get commit authors and comments from GitHub 40 --local-dir - If specified, this script will look for repos being queried in 41 the provided dir and read the commit log from them directly. 42 --reactions - Query reactions of comments as well. 43 44 --wipe-cache - Wipe local cache before starting query. 45 46 -v, --verbose - Enable verbose logging 47 --debug - Enable extremely verbose logging 48 --dry-run - Check the cost of the query without executing it. 49 50 Authentication 51 This script looks for an auth token in the env var GITHUB_TOKEN. It needs 52 to have the read:org and the user:email scopes in order to function 53 properly. Make sure this var is set to a valid GitHub oauth token. To 54 create one see: 55 https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/ 56 Examples 57 $ name-your-contributors -r ipfs -u ipfs --after=2016-01-15T00:20:24Z --before=2016-01-20T00:20:24Z 58 59 $ name-your-contributors -o ipfs -a 2017-01-01 > ipfs-contrib-2017.json 60 61 $ name-your-contributors --config config.json > combined-out.json
Config File
For batching convenience, Name Your Contributors takes a config file which
specifies a token, a list of repos, and a list of orgs to grab. The
config.json.example is an outline of this file format:
1{ 2 "token": "123435abcdf", 3 "repos": [{ 4 "login": "mntnr", 5 "repo": "name-your-contributors", 6 "before": "2017-11-30", 7 "after": "2017-06-01" 8 }, { 9 "login": "mntnr", 10 "repo": "whodidwhat" 11 }], 12 "orgs": [{ 13 "login": "adventure-js", 14 "after": "2017-07-01" 15 }] 16}
A token passed in the config file will override any token present in the environment.
The output when passed a config file is a mirror of the config file with the
token removed and a contributions key added to each object, like so:
1{ 2 "repos": [{ 3 "login": "mntnr", 4 "repo": "name-your-contributors", 5 "before": "2017-11-30", 6 "after": "2017-06-01", 7 "contributions" : { 8 "commitAuthors": [...], 9 "commitCommentators": [...], 10 ,,, 11 }, 12 ... 13 }], 14 "orgs": [...] 15}
The output will be in the format:
1$ name-your-contributors -u mntnr -r name-your-contributors --after 2017-11-10 2 3{ 4 "commitAuthors": [], 5 "commitCommentators": [], 6 "prCreators": [], 7 "prCommentators": [ 8 { 9 "login": "RichardLitt", 10 "name": "Richard Littauer", 11 "url": "https://github.com/RichardLitt", 12 "count": 3 13 }, 14 { 15 "login": "tgetgood", 16 "name": "Thomas Getgood", 17 "url": "https://github.com/tgetgood", 18 "count": 2 19 } 20 ], 21 "issueCreators": [ 22 { 23 "login": "RichardLitt", 24 "name": "Richard Littauer", 25 "url": "https://github.com/RichardLitt", 26 "count": 1, 27 "titles": [ 28 "Add example output to the README", 29 "Get email for users" 30 ] 31 } 32 ], 33 "issueCommentators": [ 34 { 35 "login": "tgetgood", 36 "name": "Thomas Getgood", 37 "url": "https://github.com/tgetgood", 38 "count": 1 39 }, 40 { 41 "login": "RichardLitt", 42 "name": "Richard Littauer", 43 "url": "https://github.com/RichardLitt", 44 "count": 1 45 } 46 ], 47 "reactors": [ 48 { 49 "login": "patcon", 50 "name": "Patrick Connolly", 51 "url": "https://github.com/patcon", 52 "count": 1 53 } 54 ], 55 "reviewers": [] 56}
Result formats
Name Your Contributors offers 4 distinct result formats intended for different consumers.
Default
The default result format is an aggregate synopsis of all contributions in the given time window. This is the format in the examples above.
CSV
With the --csv flag provided at the command line, nyc will return the default
info in CSV format rather than JSON.
Full Contribution Tree
If the --full flag is passed at the command line, then nyc will return the
full tree of org->repo->pr->comment->reaction->author for all interactions in
the given time window. This format is quite verbose, but invaluable if you want
to know not only who contributed, but the details of every contribution made.
For example,
1$ name-your-contributors -r name-your-contributors -u mntnr -b 2017-12-10 -a 2017-11-10 --full
will return (abbreviated):
1{ 2 "repository": { 3 "homepageUrl": "", 4 "name": "name-your-contributors", 5 "owner": { 6 "login": "mntnr" 7 }, 8 "pullRequests": [ 9 { 10 "title": "Cli updates", 11 "number": 43, 12 "state": "MERGED", 13 "author": { 14 "login": "tgetgood", 15 "name": "Thomas Getgood", 16 "url": "https://github.com/tgetgood" 17 }, 18 "createdAt": "2017-10-26T19:48:39Z", 19 "comments": [ 20 { 21 "author": { 22 "login": "RichardLitt", 23 "name": "Richard Littauer", 24 "url": "https://github.com/RichardLitt" 25 }, 26 "createdAt": "2017-11-20T16:35:31Z" 27 }, 28 { 29 "author": { 30 "login": "tgetgood", 31 "name": "Thomas Getgood", 32 "url": "https://github.com/tgetgood" 33 }, 34 "createdAt": "2017-11-21T21:05:15Z" 35 }, 36 ... 37 ], 38 "reviews": [] 39 }, 40 ... 41 ] 42 } 43}
Notice that the pull request above was created before the date passed to before. It is still included because comments made within it were created in the desired timeframe. If there had been no such comments, the PR would not be included.
Condensed
For an even more condensed output format which also allows filtering on given users, see the postprocessing script Who Did What.
API
orgContributors({orgName, token, before, after})
token
Type: string
Github auth token
org
Type: string
The organization to traverse. If no organization is provided, the script will find the username and repo for the local git repository and use that.
opts.after
Type: string
Default value: new Date(0)
The ISO timestamp to get contributors after.
Any string that will be accepted by new Date("...") will work here as
expected.
opts.before
Type: string
Default value: new Date()
Get contributors from before this ISO timestamp.
repoContributors({user, repo, token, before, after})
opts.user
Type: string
Github user name to whom the repo belongs.
opts.repo
Type: string
Only traverse the given repository.
Development
There are several extra flags that are useful for development and diagnosing issues:
-v, --verbose prints out each query that is sent to the api along with its
cost and the quota remaining after it is run.
--debug prints out each query sent to the server and the raw response. This is
extremely verbose.
--dry-run prints the cost of the first query that would have been run without
running it. Note that since the query isn't executed, follow up queries aren't
possible. when used with the -c, --config option, dry runs the first query for
each entry of the config file.
Contribute
Name Your Contributors is an open source project - we'd love you to contribute! Check out the Contributing document, and abide by the Code of Conduct.
License
MIT © 2018 Richard Littauer
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: license:0
- Info: FSF or OSI recognized license: MIT License: license:0
Reason
dependency not pinned by hash detected -- score normalized to 4
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/mntnr/name-your-contributors/nodejs.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/mntnr/name-your-contributors/nodejs.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/mntnr/name-your-contributors/semantic-release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/mntnr/name-your-contributors/semantic-release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/mntnr/name-your-contributors/semantic-release.yml/master?enable=pin
- Info: 0 out of 3 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
Found 4/15 approved changesets -- score normalized to 2
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/dependabot.yml:1
- Warn: no topLevel permission defined: .github/workflows/nodejs.yml:1
- Warn: no topLevel permission defined: .github/workflows/semantic-release.yml:1
- Info: no jobLevel write permissions found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 26 are checked with a SAST tool
Reason
25 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-5v2h-r2cx-5xgj
- Warn: Project is vulnerable to: GHSA-rrrm-qjm4-v8hf
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-r96c-57pf-9jjm
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-r2j6-p67h-q639
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-44c6-4v22-4mhx
- Warn: Project is vulnerable to: GHSA-4x5v-gmq8-25ch
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Score
2.9
/10
Last Scanned on 2025-01-27
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More