|Project Name||Stars||Downloads||Repos Using This||Packages Using This||Most Recent Commit||Total Releases||Latest Release||Open Issues||License||Language|
|Laravel||72,987||1,106||1,206||2 days ago||152||July 19, 2022||32||PHP|
|Laravel is a web application framework with expressive, elegant syntax. We’ve already laid the foundation for your next big idea — freeing you to create without sweating the small things.|
|Payloadsallthethings||46,538||2 days ago||15||mit||Python|
|A list of useful payloads and bypass for Web Application Security and Pentest/CTF|
|Framework||29,231||116,342||10,768||4 hours ago||840||September 22, 2022||30||mit||PHP|
|The Laravel Framework.|
|Trivy||16,762||25||5 hours ago||176||September 16, 2022||373||apache-2.0||Go|
|Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more|
|Apktool||15,957||5 days ago||3||February 26, 2022||91||apache-2.0||Java|
|A tool for reverse engineering Android apk files|
|Authelia||15,941||1||7 hours ago||34||September 19, 2022||109||apache-2.0||Go|
|The Single Sign-On Multi-Factor portal for web apps|
|Flarum||13,802||1||20 days ago||19||July 13, 2022||mit||PHP|
|Simple forum software for building great communities.|
|Hacker101||12,804||2 months ago||25||other||SCSS|
|Source code for Hacker101.com - a free online web and mobile security class.|
|Nats Server||12,532||1,090||2 hours ago||417||September 22, 2022||257||apache-2.0||Go|
|High-Performance server for NATS.io, the cloud and edge native messaging system.|
|Pytest||9,968||65,292||18,299||3 days ago||155||April 23, 2022||861||mit||Python|
|The pytest framework makes it easy to write small tests, yet scales to support complex functional testing|
safely* install packages with npm/yarn by auditing them as part of your install process
Media coverage about npq:
Once npq is installed, you can safely* install packages:
npq install express
npq will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:
If npq is prompted to continue with the install, it simply hands over the actual package install job to the package manager (npm by default).
safely* - there's no guaranteed safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.
npm install -g npq
Note: we recommend installing with
npm rather than
yarn. That way,
npq can automatically install shell aliases for you.
npq install express
npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day
npm usage so there's no need to remember to run
If you're using
yarn, or generally want to explicitly tell npq which package manager to use you can specify an environment variable:
Example: create an alias with yarn as the package manager:
alias yarn="NPQ_PKG_MGR=yarn npq-hero"
npq by default will offload all commands and their arguments to the
npm package manager after it finished its due-diligence for the respective packages.
|age||Will show a warning for a package if its age on npm is less than 22 days||Checks a package creation date, not a specific version|
|author||Will show a warning if a package has been found without an author field||Checks the latest version for an author|
|downloads||Will show a warning for a package if its download count in the last month is less than 20|
|readme||Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff|
|repo||Will show a warning if a package has been found without a valid and working repository URL||Checks the latest version for a repository URL|
|scripts||Will show a warning if a package has a pre/post install script which could potentially be malicious|
|snyk||Will show a warning if a package has been found with vulnerabilities in Snyk's database||For Snyk to work you need to either have the
|license||Will show a warning if a package has been found without a license field||Checks the latest version for a license|
|expired domains||Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain||Checks a dependency version for a maintainer with an expired domain|
To disable a marshall altogether, set an environment variable using with the marshall's shortname.
Example, to disable the Snyk vulnerability marshall:
MARSHALL_DISABLE_SNYK=1 npq install express
npq install express --dry-run
An example of using lockfile-lint with a
.travis.yml configuration as part of your build:
language: node_js before_script: - npx lockfile-lint --path package-lock.json --validate-https --allowed-hosts npm install: - yarn install script: - yarn run test
npm installwill install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
pre-installscript which can be potentially harmful for your system and prompt you whether to install it. Whereas
npm auditwill not perform any such checks, and only consults a vulnerability database for known security issues.
npm auditis closer in functionality to what Snyk does, rather than what NPQ does.
Please consult the CONTRIBUTING for guidelines on contributing to this project
Liran Tal [email protected]