🎖safely* install packages with npm or yarn by auditing them as part of your install process
Alternatives To Npq
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Laravel72,9871,1061,2062 days ago152July 19, 202232PHP
Laravel is a web application framework with expressive, elegant syntax. We’ve already laid the foundation for your next big idea — freeing you to create without sweating the small things.
2 days ago15mitPython
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Framework29,231116,34210,7684 hours ago840September 22, 202230mitPHP
The Laravel Framework.
Trivy16,762255 hours ago176September 16, 2022373apache-2.0Go
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
5 days ago3February 26, 202291apache-2.0Java
A tool for reverse engineering Android apk files
Authelia15,94117 hours ago34September 19, 2022109apache-2.0Go
The Single Sign-On Multi-Factor portal for web apps
120 days ago19July 13, 2022mitPHP
Simple forum software for building great communities.
2 months ago25otherSCSS
Source code for - a free online web and mobile security class.
Nats Server12,5321,0902 hours ago417September 22, 2022257apache-2.0Go
High-Performance server for, the cloud and edge native messaging system.
Pytest9,96865,29218,2993 days ago155April 23, 2022861mitPython
The pytest framework makes it easy to write small tests, yet scales to support complex functional testing
Alternatives To Npq
Select To Compare

Alternative Project Comparisons

safely* install packages with npm/yarn by auditing them as part of your install process

npm npm codecov Build Status Known Vulnerabilities Security Responsible Disclosure



Media coverage about npq:


Once npq is installed, you can safely* install packages:

npq install express

npq will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:

  • Consult the database of publicly disclosed vulnerabilities to check if a security vulnerability exists for this package and its version.
  • Package age on npm
  • Package download count as a popularity metric
  • Package has a README file
  • Package has a LICENSE file
  • Package has pre/post install scripts

If npq is prompted to continue with the install, it simply hands over the actual package install job to the package manager (npm by default).

safely* - there's no guaranteed safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.


npm install -g npq

Note: we recommend installing with npm rather than yarn. That way, npq can automatically install shell aliases for you.


Install packages with npq:

npq install express

Embed in your day to day

Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.

alias npm='npq-hero'

Offload to package managers

If you're using yarn, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: NPQ_PKG_MGR=yarn

Example: create an alias with yarn as the package manager:

alias yarn="NPQ_PKG_MGR=yarn npq-hero"

Note: npq by default will offload all commands and their arguments to the npm package manager after it finished its due-diligence for the respective packages.


Marshall Name Description Notes
age Will show a warning for a package if its age on npm is less than 22 days Checks a package creation date, not a specific version
author Will show a warning if a package has been found without an author field Checks the latest version for an author
downloads Will show a warning for a package if its download count in the last month is less than 20
readme Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
repo Will show a warning if a package has been found without a valid and working repository URL Checks the latest version for a repository URL
scripts Will show a warning if a package has a pre/post install script which could potentially be malicious
snyk Will show a warning if a package has been found with vulnerabilities in Snyk's database For Snyk to work you need to either have the snyk npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
license Will show a warning if a package has been found without a license field Checks the latest version for a license
expired domains Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain Checks a dependency version for a maintainer with an expired domain

Disabling Marshalls

To disable a marshall altogether, set an environment variable using with the marshall's shortname.

Example, to disable the Snyk vulnerability marshall:

MARSHALL_DISABLE_SNYK=1 npq install express

Run checks on package without installing it:

npq install express --dry-run

Using with TravisCI

An example of using lockfile-lint with a .travis.yml configuration as part of your build:

language: node_js
  - npx lockfile-lint --path package-lock.json --validate-https --allowed-hosts npm
  - yarn install
  - yarn run test


  1. Can I use NPQ without having npm or yarn?
  • NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
  1. How is NPQ different from npm audit?
  • npm install will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
  • NPQ will run synthetic checks, called marshalls, on the characteristics of a module, such as whether the module you are going to install has a pre-install script which can be potentially harmful for your system and prompt you whether to install it. Whereas npm audit will not perform any such checks, and only consults a vulnerability database for known security issues.
  • npm audit is closer in functionality to what Snyk does, rather than what NPQ does.
  1. Do I require a Snyk API key in order to use NPQ?
  • It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.


Please consult the CONTRIBUTING for guidelines on contributing to this project


Liran Tal [email protected]

Popular Security Projects
Popular Vulnerabilities Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Command Line Tool
Package Manager
Security Tools
Security Audit