npq
npq is a CLI tool that audits npm packages before installation by checking for known vulnerabilities, suspicious metadata patterns, and supply-chain red flags. It acts as a gate between your install command and the package manager, allowing you to review warnings and decide whether to proceed.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | lirantal/npq |
| Owner | lirantal |
| Primary language | JavaScript |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.8k |
| Forks | 41 |
| Open issues | 15 |
| Latest release | v3.20.0 (2026-07-07) |
| Last updated | 2026-07-07 |
| Source | https://github.com/lirantal/npq |
What npq is
npq intercepts npm/yarn/pnpm install commands, runs multiple heuristic checks (Snyk CVE lookups, package age, download metrics, maintainer behavior, scripts, provenance signatures, typosquatting detection), and either auto-continues or requires manual approval before delegating to the underlying package manager. Marshalls are pluggable audit modules that can be individually disabled via environment variables.
Get the npq source
Clone the repository and explore it locally.
git clone https://github.com/lirantal/npq.gitcd npq# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires explicit opt-in via alias (e.g., `alias npm='npq-hero'`) or per-invocation CLI use; not installed by default in npm workflows, so adoption requires team discipline.
- Default auto-continue mode waits 15 seconds on warnings; strict mode via `--disable-auto-continue` or env var needed for zero-touch approval gates in CI/CD.
- Snyk marshall requires `snyk` npm package + valid API token or `SNYK_TOKEN` env var; GitHub marshall benefits from `GITHUB_TOKEN` for higher API rate limits on deprecation/archive checks.
- Marshalls can be individually disabled via env vars (e.g., `MARSHALL_DISABLE_SNYK=1`); teams must decide on policy (all enabled, strict subset, etc.) and document it.
- Works with npm, yarn, pnpm, and custom package managers via `NPQ_PKG_MGR` env var; integration testing required for non-npm workflows.
When to avoid it — and what to weigh
- Absolute guarantee of safety is required — npq explicitly disclaims absolute safety; a malicious package with no public CVE and good superficial metrics can still pass. It is a heuristic tool, not a formal proof.
- Air-gapped or offline environments are mandatory — npq relies on external APIs (Snyk CVE database, npm registry, GitHub API for deprecation checks, Snyk API for provenance). Offline-only workflows will require bundled or cached metadata.
- Highly regulated compliance with locked audit trails — npq's audit checks are not persisted in a tamper-proof log by default; environments requiring SOC 2 or similar attestation of every install decision may need external logging infrastructure.
- Performance is critical for very large monorepos with hundreds of deps — Each install incurs marshall checks and external API calls; bulk operations (e.g., `npm ci` on 500+ dependencies) may see noticeable latency unless carefully tuned or marshalls are disabled.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability/warranty disclaimers. No known restrictions on use in proprietary or closed-source projects.
Apache-2.0 permits commercial use without royalty or license fees. However, reliance on external APIs (Snyk free tier has usage limits, GitHub API has rate limits) may incur costs at scale. Snyk API token and GitHub token configuration are user's responsibility; consult Snyk and GitHub's commercial terms separately. Verify API availability and SLAs for production use.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
npq reduces exposure to known supply-chain attacks (typosquatting, dormant maintainers, pre/post-install scripts) via heuristic checks and CVE/provenance lookup. However, it is not a cryptographic verification tool; signature checks rely on npm registry metadata, not independent key management. Malicious packages with no public CVE or clean metadata can still pass. Team discipline and API token security (Snyk, GitHub) are prerequisites. No warrant of immunity from zero-day supply-chain compromise; use as one layer in defense-in-depth strategy.
Alternatives to consider
npm audit / npm audit fix
Built-in npm feature detects known vulnerabilities in installed dependencies but does not pre-install gate; runs post-install or on demand. Less opinionated about maintainer behavior or typosquatting.
Snyk CLI
Comprehensive SBOM and SCA scanning with remediation, but requires separate account/token and is typically run post-install or in CI; does not intercept package manager invocations like npq.
Renovate / Dependabot
Automated dependency updates and security alerting in version control; complementary to npq for ongoing maintenance but does not provide interactive pre-install review of new packages.
Build on npq with DEV.co software developers
Adopt npq to systematically audit dependencies before they enter your codebase. Catch typosquats, dormant maintainers, and suspicious scripts in seconds.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
npq FAQ
Can npq run in fully offline mode?
Will npq block installation of a package that passes checks but is later found to be malicious?
How do I integrate npq into my CI/CD pipeline?
What happens if an API (Snyk, GitHub, npm registry) is down?
Custom software development services
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If npq is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Harden Your npm Install Process
Adopt npq to systematically audit dependencies before they enter your codebase. Catch typosquats, dormant maintainers, and suspicious scripts in seconds.