Home

Awesome

<p align="center"> <br> <img width="200" src="https://github.com/lirantal/npq/raw/main/.github/Logo%20Horizontal.png"> <br> safely* install packages with npm/yarn by auditing them as part of your install process </p>

npm npm codecov CI Known Vulnerabilities Security Responsible Disclosure

npq-demo-3-final

Media coverage about npq:

About

Once npq is installed, you can safely* install packages:

npq install express

npq will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:

If npq is prompted to continue with the install, it simply hands over the actual package install job to the package manager (npm by default).

safely* - there's no guaranteed safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.

Install

npm install -g npq

Note: we recommend installing with npm rather than yarn. That way, npq can automatically install shell aliases for you.

Usage

Install packages with npq:

npq install express

Embed in your day to day

Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.

alias npm='npq-hero'

Offload to package managers

If you're using yarn, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: NPQ_PKG_MGR=yarn

Example: create an alias with yarn as the package manager:

alias yarn="NPQ_PKG_MGR=yarn npq-hero"

Note: npq by default will offload all commands and their arguments to the npm package manager after it finished its due-diligence for the respective packages.

Marshalls

Marshall NameDescriptionNotes
ageWill show a warning for a package if its age on npm is less than 22 daysChecks a package creation date, not a specific version
authorWill show a warning if a package has been found without an author fieldChecks the latest version for an author
downloadsWill show a warning for a package if its download count in the last month is less than 20
readmeWill show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
repoWill show a warning if a package has been found without a valid and working repository URLChecks the latest version for a repository URL
scriptsWill show a warning if a package has a pre/post install script which could potentially be malicious
snykWill show a warning if a package has been found with vulnerabilities in Snyk's databaseFor Snyk to work you need to either have the snyk npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
licenseWill show a warning if a package has been found without a license fieldChecks the latest version for a license
expired domainsWill show a warning if a package has been found with one of its maintainers having an email address that includes an expired domainChecks a dependency version for a maintainer with an expired domain
signaturesWill compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
provenanceWill verify the package's attestations of provenance metadata for the published package

Disabling Marshalls

To disable a marshall altogether, set an environment variable using with the marshall's shortname.

Example, to disable the Snyk vulnerability marshall:

MARSHALL_DISABLE_SNYK=1 npq install express

Run checks on package without installing it:

npq install express --dry-run

Learn Node.js Security

<div align="center"> <p> <a href="https://nodejs-security.com"> <img alt="Node.js Security" align="center" src="https://img.shields.io/badge/%F0%9F%A6%84-Learn%20Node.js%20Security%E2%86%92-gray.svg?colorA=5734F5&colorB=5734F5&style=flat" /> </a> </p>

Screenshot 2024-09-12 at 20 14 27

<p> Learn Node.js Secure Coding techniques and best practices from <a href="https://www.lirantal.com">Liran Tal</a> </p> </div>

FAQ

  1. Can I use NPQ without having npm or yarn?
  1. How is NPQ different from npm audit?
  1. Do I require a Snyk API key in order to use NPQ?

Contributing

Please consult the CONTRIBUTING for guidelines on contributing to this project

Author

Liran Tal liran.tal@gmail.com