{"id":13451968,"url":"https://github.com/lirantal/npq","last_synced_at":"2026-04-06T18:02:32.294Z","repository":{"id":27627485,"uuid":"114298694","full_name":"lirantal/npq","owner":"lirantal","description":"safely install npm packages by auditing them pre-install stage","archived":false,"fork":false,"pushed_at":"2026-03-30T18:32:00.000Z","size":13497,"stargazers_count":1562,"open_issues_count":12,"forks_count":35,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-03-30T20:29:04.160Z","etag":null,"topics":["appsec","best-practices","command-line-tool","nodejs","npm","package-manager","security","security-audit","security-tools","supply-chain-security","vulnerabilities","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lirantal.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-12-14T21:37:48.000Z","updated_at":"2026-03-30T18:32:05.000Z","dependencies_parsed_at":"2024-01-13T10:12:42.386Z","dependency_job_id":"47b2e1ed-c82a-46b7-819b-e57e17aaa457","html_url":"https://github.com/lirantal/npq","commit_stats":{"total_commits":269,"total_committers":21,"mean_commits":12.80952380952381,"dds":"0.34944237918215615","last_synced_commit":"2ab7556c9eaf470c89b1c95a74e788966d3cd2e0"},"previous_names":[],"tags_count":173,"template":false,"template_full_name":null,"purl":"pkg:github/lirantal/npq","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fnpq","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fnpq/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fnpq/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fnpq/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lirantal","download_url":"https://codeload.github.com/lirantal/npq/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fnpq/sbom","scorecard":{"id":592240,"data":{"date":"2025-08-11","repo":{"name":"github.com/lirantal/npq","commit":"5b9528d318054df121e54514d005ed0eee63d56c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7,"checks":[{"name":"Code-Review","score":2,"reason":"Found 8/30 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 28 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Token-Permissions","score":9,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/automerge.yml:24","Warn: no topLevel permission defined: .github/workflows/automerge.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/main.yml:12"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":4,"reason":"dependency not pinned by hash detected -- score normalized to 4","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/automerge.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/npq/automerge.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/npq/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/npq/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/npq/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/npq/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/npq/main.yml/main?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   2 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/main.yml:46"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 16 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T22:15:03.748Z","repository_id":27627485,"created_at":"2025-08-20T22:15:03.748Z","updated_at":"2025-08-20T22:15:03.748Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31483382,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-06T17:22:55.647Z","status":"ssl_error","status_checked_at":"2026-04-06T17:22:54.741Z","response_time":112,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","best-practices","command-line-tool","nodejs","npm","package-manager","security","security-audit","security-tools","supply-chain-security","vulnerabilities","vulnerability-scanners"],"created_at":"2024-07-31T07:01:08.651Z","updated_at":"2026-04-06T18:02:32.288Z","avatar_url":"https://github.com/lirantal.png","language":"JavaScript","funding_links":[],"categories":["JavaScript","Vulnerabilities and Security Advisories","3. Use npq for hardening package installs","security-tools"],"sub_categories":["2.2. Snyk automated dependency upgrades with cooldown"],"readme":"npq allows you to audit npm packages _before_ you install them\n\n[![npm](https://img.shields.io/npm/v/npq)](https://www.npmjs.com/package/npq)\n[![license](https://img.shields.io/npm/l/npq)](LICENSE)\n[![codecov](https://img.shields.io/codecov/c/gh/lirantal/npq/main)](https://codecov.io/gh/lirantal/npq)\n[![CI](https://img.shields.io/github/actions/workflow/status/lirantal/npq/main.yml?branch=main\u0026label=CI\u0026logo=github)](https://github.com/lirantal/npq/actions/workflows/main.yml?query=branch%3Amain)\n[![Known Vulnerabilities](https://snyk.io/test/github/lirantal/npq/badge.svg)](https://snyk.io/test/github/lirantal/npq)\n[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow)](SECURITY.md)\n\nTL;DR how to use npq:\n\n```sh\n$ npx npq install express --dry-run\n```\n\n_What it does: the `npx` tool downloads and execute `npq` package, runs an install check for the `express` package and `--dry-run` means npq exists regardless of success/errors_.\n\nHere's a screenshot of npq in action:\n\n![npq demo screenshot](.github/npq.png)\n\nMedia coverage about npq:\n\n- As mentioned on [Thomas Gentilhomme](https://github.com/fraxken)'s French book of [Become a Node.js Developer](https://docs.google.com/document/d/1JHgmEFkc8Py4XSuCB8_DQ5FFEJoogyeninFK6ucTd4o/edit#)\n- Tao Bojlén's [A web of trust for npm](https://www.btao.org/2020/10/02/npm-trust.html)\n- Zander's [favorite list of command line tools](https://zander.wtf/blog/terminal-commands)\n- Ran Bar Zik's [npq review to install safe modules](https://internet-israel.com/%D7%A4%D7%99%D7%AA%D7%95%D7%97-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%91%D7%A0%D7%99%D7%99%D7%AA-%D7%90%D7%AA%D7%A8%D7%99-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98-%D7%9C%D7%9E%D7%A4%D7%AA%D7%97%D7%99%D7%9D/%D7%91%D7%93%D7%99%D7%A7%D7%94-%D7%A2%D7%9D-npq-%D7%9B%D7%93%D7%99-%D7%9C%D7%95%D7%95%D7%93%D7%90-%D7%94%D7%AA%D7%A7%D7%A0%D7%94-%D7%AA%D7%A7%D7%99%D7%A0%D7%94-%D7%A9%D7%9C-%D7%9E%D7%95%D7%93%D7%95/)\n- ostechnix's [How To Safely Install Packages Using Npm Or Yarn On Linux](https://ostechnix.com/how-to-safely-install-packages-using-npm-or-yarn-on-linux)\n- debricked's [How to evaluate the security of your NPM Package dependencies](https://debricked.com/blog/2020/03/11/how-to-evaluate-the-security-of-your-npm-package-dependencies)\n- JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.lirantal.com/blog/2019-01-26)\n- Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://www.lirantal.com/blog/malicious-modules-what-you-need-to-know-when-installing-npm-packages-12b2f56d3685)\n\n## About\n\nOnce npq is installed, you can safely* install packages:\n\n```bash\nnpq install express\n```\n\n`npq` will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:\n\n* Consult the [snyk.io database of publicly disclosed vulnerabilities](https://snyk.io/vuln) to check if a security vulnerability exists for this package and its version.\n* Package age on npm\n* Package download count as a popularity metric\n* Package has a README file\n* Package has a LICENSE file\n* Package has pre/post install scripts\n\n**IMPORTANT**: npq by default uses an auto-continue mode when warnings are detected (no errors), waiting 15 seconds before proceeding with the installation. You can disable this behavior via the `--disable-auto-continue` CLI flag or the `NPQ_DISABLE_AUTO_CONTINUE=true` environment variable to enforce a strict review and security hardened installs. See [the auto-continue documentation](docs/feature/auto-continue.md) for more details.\n\nWhen npq completes its signal checks it hands over the actual package install job to the package manager (npm by default, or as specified via the `NPQ_PKG_MGR` environment variable).\n\n**DISCLAIMER**: there's no guaranteed absolute safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.\n\n## Demo\n\n\u003chttps://github.com/user-attachments/assets/619ab3f6-aa3f-483c-9560-0f18e033e6bf\u003e\n\n## Install\n\n```bash\nnpm install -g npq\n```\n\n*Note: we recommend installing with `npm` rather than `yarn`. That way, `npq` can automatically install shell aliases for you.*\n\nYou can also install `npq` via [Homebrew](https://brew.sh) on macOS or Linux:\n\n```bash\nbrew install npq\n```\n\n## Usage\n\n### Install packages with npq\n\n```bash\nnpq install express\n```\n\n### Embed in your day to day\n\nSince `npq` is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day `npm` usage so there's no need to remember to run `npq` explicitly.\n\n```bash\nalias npm='npq-hero'\n```\n\n### Offload to package managers\n\nIf you're using `yarn`, `pnpm`, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: `NPQ_PKG_MGR=\u003cpackage-manager\u003e`\n\nExamples:\n\n**Using yarn 1.x:**\n\n```bash\nalias yarn=\"NPQ_PKG_MGR=yarn npq-hero\"\n```\n\n**Using yarn 4.x:**\n\n```bash\nNPQ_PKG_MGR=yarn yarn run npq-hero\n```\n\nor \n\n```bash\nNPQ_PKG_MGR=yarn yarn exec npq-hero\n```\n\n**Using pnpm:**\n\n```bash\nNPQ_PKG_MGR=pnpm npx npq install fastify\n```\n\n**Using pnpm with alias:**\n\n```bash\nalias pnpm=\"NPQ_PKG_MGR=pnpm npq-hero\"\n```\n\nNote: `npq` by default will offload all commands and their arguments to the `npm` (or other package manager as specified) after it finished its due-diligence checks for the respective packages.\n\n## Marshalls\n\n| Marshall Name | Description | Notes\n| --- | --- | ---\n| age | Will show a warning for a package if its age on npm is less than 22 days | Checks a package creation date, not a specific version\n| author | Will show a warning if a package has been found without an author field | Checks the latest version for an author\n| downloads | Will show a warning for a package if its download count in the last month is less than 20\n| readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff\n| repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL\n| scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious\n| snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid API token, or make the token available in the `SNYK_TOKEN` environment variable, and npq will use it\n| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license\n| expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain\n| signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry\n| provenance | Will verify the package's attestations of provenance metadata for the published package\n| version-maturity | Will show a warning if the specific version being installed was published less than 7 days ago | Helps identify recently published versions that may not have been reviewed by the community yet\n| newBin | Will show a warning if the package version being installed introduces a new command-line binary (via the `bin` field in `package.json`) that was not present in its previous version. | Helps identify potentially unexpected new executables being added to your `node_modules/.bin/` directory.\n| typosquatting | Will show a warning if the package name is similar to a popular package name, which could indicate a potential typosquatting attack. | Helps identify packages that may be trying to trick users into installing them by mimicking popular package names.\n| deprecation | Will show a warning if the package version is deprecated on npm or if its GitHub repository has been archived. | Helps identify packages that are no longer maintained or recommended for use. Set `GITHUB_TOKEN` environment variable for higher GitHub API rate limits.\n\n### Disabling Marshalls\n\nTo disable a marshall altogether, set an environment variable using with the marshall's shortname.\n\nExample, to disable the Snyk vulnerability marshall:\n\n```bash\nMARSHALL_DISABLE_SNYK=1 npq install express\n```\n\n\n#### Available Marshall Environment Variables\n\nHere are all the available environment variable names for disabling specific marshalls:\n\n| Marshall Name    | Environment Variable                          | Description                                         |\n|------------------|-----------------------------------------------|-----------------------------------------------------|\n| age              | `MARSHALL_DISABLE_AGE`                        | Disable package age checks                          |\n| author           | `MARSHALL_DISABLE_AUTHOR`                     | Disable package author verification                 |\n| downloads        | `MARSHALL_DISABLE_DOWNLOADS`                  | Disable download count checks                       |\n| expired domains  | `MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS` | Disable expired domain checks for maintainer emails |\n| license          | `MARSHALL_DISABLE_LICENSE`                    | Disable license availability checks                 |\n| provenance       | `MARSHALL_DISABLE_PROVENANCE`                 | Disable package provenance verification             |\n| repo             | `MARSHALL_DISABLE_REPO`                       | Disable repository URL validation                   |\n| scripts          | `MARSHALL_DISABLE_SCRIPTS`                    | Disable pre/post install script checks              |\n| signatures       | `MARSHALL_DISABLE_SIGNATURES`                 | Disable registry signature verification             |\n| snyk             | `MARSHALL_DISABLE_SNYK`                       | Disable Snyk vulnerability checks                   |\n| typosquatting    | `MARSHALL_DISABLE_TYPOSQUATTING`              | Disable typosquatting detection                     |\n| version-maturity | `MARSHALL_DISABLE_VERSION_MATURITY`           | Disable version maturity checks                     |\n| newBin           | `MARSHALL_DISABLE_NEWBIN`                     | Disable new binary introduction checks              |\n| deprecation      | `MARSHALL_DISABLE_DEPRECATION`                | Disable deprecation checks                          |\n\n### Run checks on package without installing it\n\n```sh\nnpq install express --dry-run\n```\n\n### Force non-rich text output\n\n```sh\nnpq install express --plain\n```\n\n### Disable auto-continue countdown\n\nBy default, when npq detects only warnings (no errors), it automatically proceeds with installation after a 15-second countdown. To disable this behavior and always require explicit confirmation:\n\n**Using the CLI flag:**\n\n```sh\nnpq install express --disable-auto-continue\n```\n\n**Using the environment variable:**\n\n```sh\nexport NPQ_DISABLE_AUTO_CONTINUE=true\nnpq install express\n```\n\nOr set it permanently in your shell profile (`.bashrc`, `.zshrc`, etc.):\n\n```sh\nexport NPQ_DISABLE_AUTO_CONTINUE=true\n```\n\nWhen auto-continue is disabled, npq will always prompt for explicit confirmation before proceeding with installation, even when only warnings are detected.\n\n## Learn Node.js Security\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cp\u003e\n  \u003ca href=\"https://nodejs-security.com\"\u003e\n    \u003cimg alt=\"Node.js Security\" align=\"center\" src=\"https://img.shields.io/badge/%F0%9F%A6%84-Learn%20Node.js%20Security%E2%86%92-gray.svg?colorA=5734F5\u0026colorB=5734F5\u0026style=flat\" /\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n![Screenshot 2024-09-12 at 20 14 27](.github/nodejs-security-screenshot.png)\n\n\u003cp\u003e\n  Learn Node.js Secure Coding techniques and best practices from \u003ca href=\"https://www.lirantal.com\"\u003eLiran Tal\u003c/a\u003e\n\u003c/p\u003e\n\n\u003c/div\u003e\n\n## FAQ\n\n1. **What is the difference between `npq` and `npq-hero`?**\n\n* `npq` is meant to be its own stand-alone CLI so it has command line flags like `--dry-run` and others (see `npq --help`). However, when you want to alias the `npm` CLI to NPQ you should use `npq-hero` as the executable of the alias to npm (e.g: `alias npm=npq`), which means `npq-hero` can't have its own command-line flags because they could conflict with the `npm` executable.\n\n2. **Can I use NPQ without having npm or yarn?**\n\n* NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.\n\n3. **How is NPQ different from npm audit?**\n\n* `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.\n* NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.\n* `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.\n\n4. **Do I require a Snyk API key in order to use NPQ?**\n\n* It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.\n\n5. **Why is NPQ connecting to external domains like gmail.com or personal websites during installation?**\n\n* This is not telemetry. NPQ does not collect any usage data. When auditing a package, NPQ fetches the maintainers/authors of the dependency and checks their email addresses to verify they are valid and not associated with expired domains. Expired domains can be abused by attackers for account takeover (ATO) attacks to compromise packages with malicious versions. Hence, NPQ may make DNS requests to domains like `gmail.com` or personal domains found in maintainer emails. Additionally, NPQ makes HTTP requests to `osv.dev` to fetch security vulnerability data (or uses Snyk if configured, as a prioritized option).\n\n## Contributing\n\nPlease consult the [CONTRIBUTING](CONTRIBUTING.md) for guidelines on contributing to this project\n\n## Author\n\nLiran Tal \u003cliran.tal@gmail.com\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flirantal%2Fnpq","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flirantal%2Fnpq","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flirantal%2Fnpq/lists"}