DEV.co
Open-Source Security · lirantal

npq

npq is a CLI tool that audits npm packages before installation by checking for known vulnerabilities, suspicious metadata patterns, and supply-chain red flags. It acts as a gate between your install command and the package manager, allowing you to review warnings and decide whether to proceed.

Source: GitHub — github.com/lirantal/npq
1.8k
GitHub stars
41
Forks
JavaScript
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorylirantal/npq
Ownerlirantal
Primary languageJavaScript
LicenseApache-2.0 — OSI-approved
Stars1.8k
Forks41
Open issues15
Latest releasev3.20.0 (2026-07-07)
Last updated2026-07-07
Sourcehttps://github.com/lirantal/npq

What npq is

npq intercepts npm/yarn/pnpm install commands, runs multiple heuristic checks (Snyk CVE lookups, package age, download metrics, maintainer behavior, scripts, provenance signatures, typosquatting detection), and either auto-continues or requires manual approval before delegating to the underlying package manager. Marshalls are pluggable audit modules that can be individually disabled via environment variables.

Quickstart

Get the npq source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/lirantal/npq.gitcd npq# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Supply-chain risk reduction in development teams

Teams shipping production code can enforce npq via npm aliases or CI/CD pre-install hooks to systematically reduce exposure to typosquatting, dormant maintainers, and newly published versions without community review.

Onboarding and security awareness

Organizations can make npq a standard install wrapper so developers see supply-chain considerations (README presence, license clarity, pre/post-install scripts) on every dependency addition, raising baseline security hygiene.

Incident response and rapid assessment

Security teams can use npq with `--dry-run` to quickly audit a suspect package or lock file before it enters the codebase, leveraging Snyk and provenance verification without side effects.

Implementation considerations

  • Requires explicit opt-in via alias (e.g., `alias npm='npq-hero'`) or per-invocation CLI use; not installed by default in npm workflows, so adoption requires team discipline.
  • Default auto-continue mode waits 15 seconds on warnings; strict mode via `--disable-auto-continue` or env var needed for zero-touch approval gates in CI/CD.
  • Snyk marshall requires `snyk` npm package + valid API token or `SNYK_TOKEN` env var; GitHub marshall benefits from `GITHUB_TOKEN` for higher API rate limits on deprecation/archive checks.
  • Marshalls can be individually disabled via env vars (e.g., `MARSHALL_DISABLE_SNYK=1`); teams must decide on policy (all enabled, strict subset, etc.) and document it.
  • Works with npm, yarn, pnpm, and custom package managers via `NPQ_PKG_MGR` env var; integration testing required for non-npm workflows.

When to avoid it — and what to weigh

  • Absolute guarantee of safety is required — npq explicitly disclaims absolute safety; a malicious package with no public CVE and good superficial metrics can still pass. It is a heuristic tool, not a formal proof.
  • Air-gapped or offline environments are mandatory — npq relies on external APIs (Snyk CVE database, npm registry, GitHub API for deprecation checks, Snyk API for provenance). Offline-only workflows will require bundled or cached metadata.
  • Highly regulated compliance with locked audit trails — npq's audit checks are not persisted in a tamper-proof log by default; environments requiring SOC 2 or similar attestation of every install decision may need external logging infrastructure.
  • Performance is critical for very large monorepos with hundreds of deps — Each install incurs marshall checks and external API calls; bulk operations (e.g., `npm ci` on 500+ dependencies) may see noticeable latency unless carefully tuned or marshalls are disabled.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability/warranty disclaimers. No known restrictions on use in proprietary or closed-source projects.

Apache-2.0 permits commercial use without royalty or license fees. However, reliance on external APIs (Snyk free tier has usage limits, GitHub API has rate limits) may incur costs at scale. Snyk API token and GitHub token configuration are user's responsibility; consult Snyk and GitHub's commercial terms separately. Verify API availability and SLAs for production use.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

npq reduces exposure to known supply-chain attacks (typosquatting, dormant maintainers, pre/post-install scripts) via heuristic checks and CVE/provenance lookup. However, it is not a cryptographic verification tool; signature checks rely on npm registry metadata, not independent key management. Malicious packages with no public CVE or clean metadata can still pass. Team discipline and API token security (Snyk, GitHub) are prerequisites. No warrant of immunity from zero-day supply-chain compromise; use as one layer in defense-in-depth strategy.

Alternatives to consider

npm audit / npm audit fix

Built-in npm feature detects known vulnerabilities in installed dependencies but does not pre-install gate; runs post-install or on demand. Less opinionated about maintainer behavior or typosquatting.

Snyk CLI

Comprehensive SBOM and SCA scanning with remediation, but requires separate account/token and is typically run post-install or in CI; does not intercept package manager invocations like npq.

Renovate / Dependabot

Automated dependency updates and security alerting in version control; complementary to npq for ongoing maintenance but does not provide interactive pre-install review of new packages.

Software development agency

Build on npq with DEV.co software developers

Adopt npq to systematically audit dependencies before they enter your codebase. Catch typosquats, dormant maintainers, and suspicious scripts in seconds.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

npq FAQ

Can npq run in fully offline mode?
No; marshalls like Snyk CVE lookup, package age checks, and GitHub deprecation detection require internet access to APIs. Offline use would require pre-cached metadata or marshalls disabled.
Will npq block installation of a package that passes checks but is later found to be malicious?
No; npq makes a point-in-time decision based on available data. If a package is compromised or malicious after passing checks, npq cannot retroactively detect or block it.
How do I integrate npq into my CI/CD pipeline?
Use `npq install <pkg>` in build steps or set `alias npm='npq-hero'` in CI environment. With `--disable-auto-continue`, npq will error on warnings, failing the build. Without it, auto-continue waits 15 seconds by default.
What happens if an API (Snyk, GitHub, npm registry) is down?
Unknown; not clearly stated. Likely marshalls timeout or degrade gracefully, but behavior on network failure requires testing or code review.

Custom software development services

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If npq is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Harden Your npm Install Process

Adopt npq to systematically audit dependencies before they enter your codebase. Catch typosquats, dormant maintainers, and suspicious scripts in seconds.