npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

inx-npq

v1.0.1

Published

marshall your npm/yarn package installs with high quality and class 🎖 - IntegrityNext enhanced fork with Snyk EU support

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

inx-npm-admininx-npm-admin

Keywords

npmyarnpnpmsecurityauditvulnerabilitysnykpackage-managerinstallsafety

Readme

Note: This is an IntegrityNext enhanced fork of npq with additional features including:

  • Enhanced Snyk EU API support
  • Improved error handling and reporting
  • Better authentication debugging

npm npm Security Responsible Disclosure

npq

npq-demo-3-final

Media coverage about npq:

About

Once npq is installed, you can safely* install packages:

npq install express

npq will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:

  • Consult the snyk.io database of publicly disclosed vulnerabilities to check if a security vulnerability exists for this package and its version.
  • Package age on npm
  • Package download count as a popularity metric
  • Package has a README file
  • Package has a LICENSE file
  • Package has pre/post install scripts

If npq is prompted to continue with the install, it simply hands over the actual package install job to the package manager (npm by default).

safely* - there's no guaranteed safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.

Install

npm install -g inx-npq

Setting up aliases (recommended)

To use npq seamlessly with your existing npm/yarn workflows, add these aliases to your shell configuration file (~/.zshrc, ~/.bashrc, etc.):

# For npm
alias npm="NPQ_PKG_MGR=npm npq-hero"

# For yarn
alias yarn="NPQ_PKG_MGR=yarn npq-hero"

# For pnpm
alias pnpm="NPQ_PKG_MGR=pnpm npq-hero"

Then reload your shell:

source ~/.zshrc  # or ~/.bashrc

Configuring Snyk EU Support

If you're using Snyk EU, set these environment variables in your shell configuration:

export SNYK_TOKEN="your-snyk-token"
export SNYK_API_URL="https://api.eu.snyk.io/v1/vuln/npm"
export SNYK_TEST_URL="https://api.eu.snyk.io/v1/test/npm"
export SNYK_PACKAGE_PAGE="https://eu.snyk.io/vuln/npm:"

Usage

Install packages with npq:

npq install express

Embed in your day to day

Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.

alias npm='npq-hero'

Offload to package managers

If you're using yarn, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: NPQ_PKG_MGR=yarn

Example: create an alias with yarn as the package manager:

alias yarn="NPQ_PKG_MGR=yarn npq-hero"

Note: npq by default will offload all commands and their arguments to the npm package manager after it finished its due-diligence for the respective packages.

Marshalls

| Marshall Name | Description | Notes | | ------------- | --------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | age | Will show a warning for a package if its age on npm is less than 22 days | Checks a package creation date, not a specific version | | downloads | Will show a warning for a package if its download count in the last month is less than 20 | | readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff | | scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious | | snyk | Will show a warning if a package has been found with vulnerabilities in snyk's database | For snyk to work you need to either have the snyk npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it | | license | Will show a warning if a package has been found without a license field | Checks the latest version for a license |

Disabling Marshalls

To disable a marshall altogether, set an environment variable using with the marshall's shortname.

Example, to disable snyk:

MARSHALL_DISABLE_SNYK=1 npq install express

Using with TravisCI

An example of using lockfile-lint with a .travis.yml configuration as part of your build:

language: node_js
before_script:
  - npx lockfile-lint --path package-lock.json --validate-https --allowed-hosts npm
install:
  - yarn install
script:
  - yarn run test

FAQ

  1. Can I use NPQ without having npm or yarn?
  • NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
  1. How is NPQ different from npm audit?
  • npm install will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
  • NPQ will run synthethic checks, called marshalls, on the characteristics of a module, such as whether the module you are going to install has a pre-install script which can be potentially harmful for your system and prompt you whether to install it. Whereas npm audit will not perform any such checks, and only consults a vulnerability database for known security issues.
  • npm audit is closer in functionality to what snyk does, rather than what NPQ does.
  1. Do I require a snyk API key in order to use NPQ?
  • It's not required. If NPQ is unable to detect a snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use snyk, and connect it with NPQ for broader security.

Contributing

Please consult the Contirbutor-Agreement for guidelines on contributing to this project