Skip to content
forked from lirantal/npq

🎖marshall your npm/yarn package installs with high quality and class

License

Notifications You must be signed in to change notification settings

jackingpanda/npq

This branch is 9 commits ahead of, 201 commits behind lirantal/npq:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

10bc3b2 · May 20, 2018

History

82 Commits
May 2, 2018
Apr 19, 2018
Apr 14, 2018
Apr 19, 2018
Dec 16, 2017
Dec 16, 2017
Feb 16, 2018
Dec 16, 2017
Dec 16, 2017
May 20, 2018
Apr 14, 2018
Apr 27, 2018

Repository files navigation

npq

Mobile.BuildTools

marshall your npm/yarn package installs with high quality and class

npm npm codecov Build Status Known Vulnerabilities Security Responsible Disclosure

semantic-release Greenkeeper badge Commitizen friendly

With npq, you can safely* install npm packages for your project:

npq-demo-3-final

About

Once npq is installed, you can safely* install packages:

npq install express

npq will perform the following steps to sanity check the package is safe by employing syntactic heuristics and querying a CVE database:

  • Consult snyk.io database of publicly disclosed vulnerabilities to check if a vulnerability exists for this package and its version.
  • Package age on npm
  • Package download count as a popularity metric
  • Package has a README file
  • Package has pre/post install scripts

If npq is prompted to continue with the install it simply handovers the actual package install job to the package manager (npm by default).

safely* - there's no guaranteed safety, a malicious or vulnerable package could still exist that has no disclosure published and passes npq's checks.

Install

npm install -g npq

Usage

Install packages with npq:

npq install express

Embed in your day to day

Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.

alias npm='npq-hero'

Offload to package managers

If you're using yarn, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: NPQ_PKG_MGR=yarn

Example: create an alias with yarn as the package manager:

alias yarn="NPQ_PKG_MGR=yarn npq-hero"

Note: npq by default will offload all commands and their arguments to the npm package manager after it finished its due-diligence for the respective packages.

Marshalls

Marshall Name Description Notes
age Will show a warning for a package if its age on npm is less than 22 days Checks a package creation date, not a specific version
downloads Will show a warning for a package if its download count in the last month is less than 20
readme Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
scripts Will show a warning if a package has a pre/post install script which could potentially be malicious
snyk Will show a warning if a package has been found with vulnerabilities in snyk's database For snyk to work you need to either have the snyk npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable and npq will use it

Disabling Marshalls

To disable a marshall altogether set an environment variable using with the marshall's shortname.

Example, to disable snyk:

MARSHALL_DISABLE_SNYK=1 npq install express

Contributing

Please consult the CONTIRBUTING for guidelines on contributing to this project

Author

Liran Tal [email protected]

About

🎖marshall your npm/yarn package installs with high quality and class

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • JavaScript 100.0%