feat: display author profile picture

[Gugustinette]

Resolves #435

How it works :

• Find username email address by exploring its public packages metadata
• If found, construct the Gravatar URL using it
• Else, fallback to the previous solution with the username's initial

I cached the data for one day, I consider it way enough for the profile picture which realistically doesn't change many times a day.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Feb 1, 2026 4:41pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Feb 1, 2026 4:41pm
npmx-lunaria	Ignored		Feb 1, 2026 4:41pm

[danielroe]

for the cli we directly return the image, hashed.

not sure of the cost of doing the same, but there's the issue of: third party origins, and potential privacy concerns...

[Gugustinette]

Oh ye I missed that.

The CLI has access to the user email which could be private, so I guess we should ignore this and keep the public-data-only solution.
Now for the image itself, I think it is better to use the Gravatar url directly, so its overall management is up to the Gravatar platform and the Gravatar user account.

But maybe we need the expertise of someone more qualified in this ? However I don't know who would be a good fit.

[danielroe]

a quick fix would be to add a server endpoint to proxy to gravatar, so we don't expose user IPs to a third party without consent

[Gugustinette]

Oooh ok I did not think about it that way, that's on me 👀

Then we would add cache to it, which means if the user wants to change or delete its profile picture, it'll still be live on npmx for as long as the cache lives.
Is that ok ?

[danielroe]

seems fine to me 👍

[Gugustinette]

Made the changes : the API endpoint now returns a data url with the image in base 64.
Thus the server is the one taking care of the request to Gravatar.