Analytics dashboard for npm packages, with snapshot-based package download history and GitHub repository health reporting.
Copy apps/npm-burst/.env.local.example to apps/npm-burst/.env.local and fill in:
VITE_CLERK_PUBLISHABLE_KEY: Clerk frontend key used by Vite in the browser.CLERK_PUBLISHABLE_KEY: server-side publishable key if needed by server code or middleware.CLERK_SECRET_KEY: Clerk backend secret for authenticated telefunc requests.ENCRYPTION_KEY: 64 hex chars, used to encrypt GitHub installation access tokens before storing them in the DB.GITHUB_APP_ID: numeric GitHub App ID.GITHUB_APP_SLUG: app slug used to build the GitHub installation URL.GITHUB_APP_PRIVATE_KEY: GitHub App private key in PEM format. In.env.local, keep newline escapes as\n.GITHUB_WEBHOOK_SECRET: webhook signing secret used to verifyinstallationandinstallation_repositoriesevents.
Generate the local secrets with:
pnpm generate:secretsThat writes gitignored files into ./keys/, split by destination:
keys/npm-burst.env→ copy intoapps/npm-burst/.env.localkeys/cronjob.env→ copy intoapps/cronjob/.dev.varskeys/cloudflare.env→ set as Cloudflare secrets for deployed environments
GITHUB_APP_PRIVATE_KEY is different: GitHub generates that in the GitHub App settings when you create a private key.
The package Health view can now fall back to the signed-in user's GitHub account for one-off snapshots when a repo owner has not installed the GitHub App yet.
- In the Clerk dashboard, enable GitHub as a social connection for your application.
- Make sure the Clerk instance used by npm-burst has GitHub enabled for both sign-in and connected accounts in the user profile.
- Use the same Clerk publishable and secret keys in npm-burst that point at that configured instance.
- After signing in, open
/usageand use theConnect GitHubbutton if your Clerk account was created without GitHub initially.
Once connected, npm-burst can request the user's GitHub OAuth access token from Clerk server-side and use it to fetch a one-off health snapshot for the repo currently being viewed.
Copy apps/cronjob/.dev.vars.example to apps/cronjob/.dev.vars for local Wrangler runs. The cron worker needs:
GITHUB_APP_IDGITHUB_APP_PRIVATE_KEYENCRYPTION_KEY
ENCRYPTION_KEY must be identical in the app and cron environments or stored GitHub installation tokens cannot be decrypted and refreshed.
The app uses Cloudflare D1. Create a D1 database and fill in the database_id in both apps/npm-burst/wrangler.toml and apps/cronjob/wrangler.toml.
Run migrations locally to set up the schema:
pnpm exec tsx apps/npm-burst/src/server/migrate.tsTo apply migrations to the remote D1 database, use wrangler d1 execute with the generated SQL.
The GitHub health feature adds these tables:
github_installationsgithub_reposgithub_repo_packagesgithub_health_snapshotsgithub_health_metricsgithub_bot_patterns
GitHub health snapshots use a GitHub App, not a personal access token.
- A maintainer clicks the install link from the usage page.
- In GitHub Developer Settings, create a new GitHub App.
- Set the homepage URL to your deployed app.
- Set the Setup URL to
https://your-domain.example/api/github/setup. - Set the Webhook URL to
https://your-domain.example/api/github/webhook. - Generate a webhook secret and copy it into
GITHUB_WEBHOOK_SECRET. - Grant these repository permissions as read-only:
IssuesPull requestsMetadata
- Generate a private key.
- Copy the app values into your env:
- App ID ->
GITHUB_APP_ID - App slug ->
GITHUB_APP_SLUG - Private key PEM ->
GITHUB_APP_PRIVATE_KEY
- App ID ->
- Run
pnpm generate:github-secretsand copy:
ENCRYPTION_KEYinto both the app env and cron envGITHUB_WEBHOOK_SECRETinto the app env and the GitHub App webhook secret field
- Deploy the app and cron worker with those secrets configured.
- From npm-burst's
/usagepage, click the install link for the GitHub owner you maintain. - Complete the GitHub App installation for that user or organization and grant access to the repos npm-burst should track.
- GitHub redirects back to
/api/github/setup, then sendsinstallationorinstallation_repositorieswebhooks to/api/github/webhook. - npm-burst verifies the webhook, upserts
github_installations, refreshes an installation token, and syncs accessible repositories intogithub_repos.installation_id. - The cron worker can now snapshot GitHub health data for those repos.
If the setup redirect succeeds but the app still shows the owner as uninstalled, check the webhook delivery logs in the GitHub App settings first.
Set secrets for the Pages app:
cd apps/npm-burst
wrangler pages secret put CLERK_SECRET_KEY
wrangler pages secret put ENCRYPTION_KEY
wrangler pages secret put GITHUB_APP_ID
wrangler pages secret put GITHUB_APP_SLUG
wrangler pages secret put GITHUB_APP_PRIVATE_KEY
wrangler pages secret put GITHUB_WEBHOOK_SECRETThe D1 database binding is configured in wrangler.toml, not as a secret.
Set secrets for the cron worker:
cd apps/cronjob
wrangler secret put ENCRYPTION_KEY
wrangler secret put GITHUB_APP_ID
wrangler secret put GITHUB_APP_PRIVATE_KEYKeep ENCRYPTION_KEY identical across both deployments.
Start the app:
pnpm nx serve npm-burstIf you want to run the cron worker locally through Wrangler:
cd apps/cronjob
wrangler dev- Repo association is auto-detected from the npm
repositoryfield. - If a package has no GitHub repository in npm metadata, the Health view stays empty.
- The cron snapshotter skips repos that do not yet have an installation synced from GitHub webhooks.
- If an app is installed on only selected repositories, repo access is updated from the installation repository sync rather than assumed for the whole owner.
- Signed-in users with a connected GitHub account can still fetch a one-off snapshot from the package Health view even if the GitHub App is not installed for that owner.