npq allows you to audit npm packages before you install them
Media coverage about npq:
Once npq is installed, you can safely* install packages:
npq install express
npq will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:
If npq is prompted to continue with the install, it simply hands over the actual package install job to the package manager (npm by default, or as specified via the NPQ_PKG_MGR environment variable). Note that if a package manager is specified via command-line options, it will override the NPQ_PKG_MGR environment variable.
DISCLAIMER: there's no guaranteed absolute safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.
https://github.com/user-attachments/assets/619ab3f6-aa3f-483c-9560-0f18e033e6bf
npm install -g npq
Note: we recommend installing with npm rather than yarn. That way, npq can automatically install shell aliases for you.
You can also install npq via Homebrew on macOS or Linux:
brew install npq
npq install express
Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.
alias npm='npq-hero'
If you're using yarn, pnpm, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: NPQ_PKG_MGR=<package-manager>
Examples:
Using yarn:
alias yarn="NPQ_PKG_MGR=yarn npq-hero"
Using pnpm:
NPQ_PKG_MGR=pnpm npx npq install fastify
Using pnpm with alias:
alias pnpm="NPQ_PKG_MGR=pnpm npq-hero"
Note: npq by default will offload all commands and their arguments to the npm (or other package manager as specified) after it finished its due-diligence checks for the respective packages.
| Marshall Name | Description | Notes |
|---|---|---|
| age | Will show a warning for a package if its age on npm is less than 22 days | Checks a package creation date, not a specific version |
| author | Will show a warning if a package has been found without an author field | Checks the latest version for an author |
| downloads | Will show a warning for a package if its download count in the last month is less than 20 | |
| readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff | |
| repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL |
| scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious | |
| snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the snyk npm package installed with a valid API token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it |
| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license |
| expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain |
| signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry | |
| provenance | Will verify the package's attestations of provenance metadata for the published package | |
| version-maturity | Will show a warning if the specific version being installed was published less than 7 days ago | Helps identify recently published versions that may not have been reviewed by the community yet |
| newBin | Will show a warning if the package version being installed introduces a new command-line binary (via the bin field in package.json) that was not present in its previous version. | Helps identify potentially unexpected new executables being added to your node_modules/.bin/ directory. |
| typosquatting | Will show a warning if the package name is similar to a popular package name, which could indicate a potential typosquatting attack. | Helps identify packages that may be trying to trick users into installing them by mimicking popular package names. |
| deprecation | Will show a warning if the package version being installed is deprecated. | Helps identify packages that are no longer maintained or recommended for use. |
To disable a marshall altogether, set an environment variable using with the marshall's shortname.
Example, to disable the Snyk vulnerability marshall:
MARSHALL_DISABLE_SNYK=1 npq install express
Here are all the available environment variable names for disabling specific marshalls:
| Marshall Name | Environment Variable | Description |
|---|---|---|
| age | MARSHALL_DISABLE_AGE | Disable package age checks |
| author | MARSHALL_DISABLE_AUTHOR | Disable package author verification |
| downloads | MARSHALL_DISABLE_DOWNLOADS | Disable download count checks |
| expired domains | MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS | Disable expired domain checks for maintainer emails |
| license | MARSHALL_DISABLE_LICENSE | Disable license availability checks |
| provenance | MARSHALL_DISABLE_PROVENANCE | Disable package provenance verification |
| repo | MARSHALL_DISABLE_REPO | Disable repository URL validation |
| scripts | MARSHALL_DISABLE_SCRIPTS | Disable pre/post install script checks |
| signatures | MARSHALL_DISABLE_SIGNATURES | Disable registry signature verification |
| snyk | MARSHALL_DISABLE_SNYK | Disable Snyk vulnerability checks |
| typosquatting | MARSHALL_DISABLE_TYPOSQUATTING | Disable typosquatting detection |
| version-maturity | MARSHALL_DISABLE_VERSION_MATURITY | Disable version maturity checks |
| newBin | MARSHALL_DISABLE_NEWBIN | Disable new binary introduction checks |
| deprecation | MARSHALL_DISABLE_DEPRECATION | Disable deprecation checks |
npq install express --dry-run
npq install express --plain
npm install will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.pre-install script which can be potentially harmful for your system and prompt you whether to install it. Whereas npm audit will not perform any such checks, and only consults a vulnerability database for known security issues.npm audit is closer in functionality to what Snyk does, rather than what NPQ does.Please consult the CONTRIBUTING for guidelines on contributing to this project
Liran Tal liran.tal@gmail.com
FAQs
marshall your npm/npm package installs with high quality and class 🎖
The npm package npq receives a total of 1,285 weekly downloads. As such, npq popularity was classified as popular.
We found that npq demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
Security News
This episode explores the hard problem of reachability analysis, from static analysis limits to handling dynamic languages and massive dependency trees.
Security News
/Research
Malicious Nx npm versions stole secrets and wallet info using AI CLI tools; Socket’s AI scanner detected the supply chain attack and flagged the malware.