npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

Iโ€™ve always been into building performant and accessible sites, but lately Iโ€™ve been taking it extremely seriously. So much so that Iโ€™ve been building a tool to help me optimize and monitor the sites that I build to make sure that Iโ€™m making an attempt to offer the best experience to those who visit them. If youโ€™re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, ๐Ÿ‘‹, Iโ€™m Ryan Hefnerย  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If youโ€™re interested in other things Iโ€™m working on, follow me on Twitter or check out the open source projects Iโ€™ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soonโ€“ish.

Open Software & Tools

This site wouldnโ€™t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you ๐Ÿ™

ยฉ 2025 โ€“ย Pkg Stats / Ryan Hefner

npq

v3.15.4

Published

marshall your npm/npm package installs with high quality and class ๐ŸŽ–

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lirantallirantallirantal_botlirantal_bot

Keywords

Readme

npq allows you to audit npm packages before you install them

npm license codecov CI Known Vulnerabilities Security Responsible Disclosure

npq demo screenshot

Media coverage about npq:

About

Once npq is installed, you can safely* install packages:

npq install express

npq will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:

  • Consult the snyk.io database of publicly disclosed vulnerabilities to check if a security vulnerability exists for this package and its version.
  • Package age on npm
  • Package download count as a popularity metric
  • Package has a README file
  • Package has a LICENSE file
  • Package has pre/post install scripts

IMPORTANT: npq by default uses an auto-continue mode when warnings are detected (no errors), waiting 15 seconds before proceeding with the installation. You can disable this behavior via the --disable-auto-continue CLI flag or the NPQ_DISABLE_AUTO_CONTINUE=true environment variable to enforce a strict review and security hardened installs. See the auto-continue documentation for more details.

When npq completes its signal checks it hands over the actual package install job to the package manager (npm by default, or as specified via the NPQ_PKG_MGR environment variable).

DISCLAIMER: there's no guaranteed absolute safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.

Demo

https://github.com/user-attachments/assets/619ab3f6-aa3f-483c-9560-0f18e033e6bf

Install

npm install -g npq

Note: we recommend installing with npm rather than yarn. That way, npq can automatically install shell aliases for you.

You can also install npq via Homebrew on macOS or Linux:

brew install npq

Usage

Install packages with npq

npq install express

Embed in your day to day

Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.

alias npm='npq-hero'

Offload to package managers

If you're using yarn, pnpm, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: NPQ_PKG_MGR=<package-manager>

Examples:

Using yarn 1.x:

alias yarn="NPQ_PKG_MGR=yarn npq-hero"

Using yarn 4.x:

NPQ_PKG_MGR=yarn yarn run npq-hero

or

NPQ_PKG_MGR=yarn yarn exec npq-hero

Using pnpm:

NPQ_PKG_MGR=pnpm npx npq install fastify

Using pnpm with alias:

alias pnpm="NPQ_PKG_MGR=pnpm npq-hero"

Note: npq by default will offload all commands and their arguments to the npm (or other package manager as specified) after it finished its due-diligence checks for the respective packages.

Marshalls

| Marshall Name | Description | Notes | --- | --- | --- | age | Will show a warning for a package if its age on npm is less than 22 days | Checks a package creation date, not a specific version | author | Will show a warning if a package has been found without an author field | Checks the latest version for an author | downloads | Will show a warning for a package if its download count in the last month is less than 20 | readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff | repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL | scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious | snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the snyk npm package installed with a valid API token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it | license | Will show a warning if a package has been found without a license field | Checks the latest version for a license | expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain | signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry | provenance | Will verify the package's attestations of provenance metadata for the published package | version-maturity | Will show a warning if the specific version being installed was published less than 7 days ago | Helps identify recently published versions that may not have been reviewed by the community yet | newBin | Will show a warning if the package version being installed introduces a new command-line binary (via the bin field in package.json) that was not present in its previous version. | Helps identify potentially unexpected new executables being added to your node_modules/.bin/ directory. | typosquatting | Will show a warning if the package name is similar to a popular package name, which could indicate a potential typosquatting attack. | Helps identify packages that may be trying to trick users into installing them by mimicking popular package names. | deprecation | Will show a warning if the package version being installed is deprecated. | Helps identify packages that are no longer maintained or recommended for use.

Disabling Marshalls

To disable a marshall altogether, set an environment variable using with the marshall's shortname.

Example, to disable the Snyk vulnerability marshall:

MARSHALL_DISABLE_SNYK=1 npq install express

Available Marshall Environment Variables

Here are all the available environment variable names for disabling specific marshalls:

| Marshall Name | Environment Variable | Description | |------------------|-----------------------------------------------|-----------------------------------------------------| | age | MARSHALL_DISABLE_AGE | Disable package age checks | | author | MARSHALL_DISABLE_AUTHOR | Disable package author verification | | downloads | MARSHALL_DISABLE_DOWNLOADS | Disable download count checks | | expired domains | MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS | Disable expired domain checks for maintainer emails | | license | MARSHALL_DISABLE_LICENSE | Disable license availability checks | | provenance | MARSHALL_DISABLE_PROVENANCE | Disable package provenance verification | | repo | MARSHALL_DISABLE_REPO | Disable repository URL validation | | scripts | MARSHALL_DISABLE_SCRIPTS | Disable pre/post install script checks | | signatures | MARSHALL_DISABLE_SIGNATURES | Disable registry signature verification | | snyk | MARSHALL_DISABLE_SNYK | Disable Snyk vulnerability checks | | typosquatting | MARSHALL_DISABLE_TYPOSQUATTING | Disable typosquatting detection | | version-maturity | MARSHALL_DISABLE_VERSION_MATURITY | Disable version maturity checks | | newBin | MARSHALL_DISABLE_NEWBIN | Disable new binary introduction checks | | deprecation | MARSHALL_DISABLE_DEPRECATION | Disable deprecation checks |

Run checks on package without installing it

npq install express --dry-run

Force non-rich text output

npq install express --plain

Disable auto-continue countdown

By default, when npq detects only warnings (no errors), it automatically proceeds with installation after a 15-second countdown. To disable this behavior and always require explicit confirmation:

Using the CLI flag:

npq install express --disable-auto-continue

Using the environment variable:

export NPQ_DISABLE_AUTO_CONTINUE=true
npq install express

Or set it permanently in your shell profile (.bashrc, .zshrc, etc.):

export NPQ_DISABLE_AUTO_CONTINUE=true

When auto-continue is disabled, npq will always prompt for explicit confirmation before proceeding with installation, even when only warnings are detected.

Learn Node.js Security

Screenshot 2024-09-12 at 20 14 27

FAQ

  1. What is the difference between npq and npq-hero?
  • npq is meant to be its own stand-alone CLI so it has command line flags like --dry-run and others (see npq --help). However, when you want to alias the npm CLI to NPQ you should use npq-hero as the executable of the alias to npm (e.g: alias npm=npq), which means npq-hero can't have its own command-line flags because they could conflict with the npm executable.
  1. Can I use NPQ without having npm or yarn?
  • NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
  1. How is NPQ different from npm audit?
  • npm install will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
  • NPQ will run synthetic checks, called marshalls, on the characteristics of a module, such as whether the module you are going to install has a pre-install script which can be potentially harmful for your system and prompt you whether to install it. Whereas npm audit will not perform any such checks, and only consults a vulnerability database for known security issues.
  • npm audit is closer in functionality to what Snyk does, rather than what NPQ does.
  1. Do I require a Snyk API key in order to use NPQ?
  • It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
  1. Why is NPQ connecting to external domains like gmail.com or personal websites during installation?
  • This is not telemetry. NPQ does not collect any usage data. When auditing a package, NPQ fetches the maintainers/authors of the dependency and checks their email addresses to verify they are valid and not associated with expired domains. Expired domains can be abused by attackers for account takeover (ATO) attacks to compromise packages with malicious versions. Hence, NPQ may make DNS requests to domains like gmail.com or personal domains found in maintainer emails. Additionally, NPQ makes HTTP requests to osv.dev to fetch security vulnerability data (or uses Snyk if configured, as a prioritized option).

Contributing

Please consult the CONTRIBUTING for guidelines on contributing to this project

Author

Liran Tal [email protected]