npq 2.0.23 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +11 -2
  2. package/package.json +7 -7
package/README.md CHANGED
@@ -19,13 +19,14 @@
19
19
 
20
20
 
21
21
  Media coverage about npq:
22
+ - As mentioned on [Thomas Gentilhomme](https://github.com/fraxken)'s French book of [Become a Node.js Developer](https://docs.google.com/document/d/1JHgmEFkc8Py4XSuCB8_DQ5FFEJoogyeninFK6ucTd4o/edit#)
22
23
  - Tao Bojlén's [A web of trust for npm](https://www.btao.org/2020/10/02/npm-trust.html)
23
24
  - Zander's [favorite list of command line tools](https://zander.wtf/blog/terminal-commands)
24
25
  - Ran Bar Zik's [npq review to install safe modules](https://internet-israel.com/%D7%A4%D7%99%D7%AA%D7%95%D7%97-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%91%D7%A0%D7%99%D7%99%D7%AA-%D7%90%D7%AA%D7%A8%D7%99-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98-%D7%9C%D7%9E%D7%A4%D7%AA%D7%97%D7%99%D7%9D/%D7%91%D7%93%D7%99%D7%A7%D7%94-%D7%A2%D7%9D-npq-%D7%9B%D7%93%D7%99-%D7%9C%D7%95%D7%95%D7%93%D7%90-%D7%94%D7%AA%D7%A7%D7%A0%D7%94-%D7%AA%D7%A7%D7%99%D7%A0%D7%94-%D7%A9%D7%9C-%D7%9E%D7%95%D7%93%D7%95/)
25
26
  - ostechnix's [How To Safely Install Packages Using Npm Or Yarn On Linux](https://ostechnix.com/how-to-safely-install-packages-using-npm-or-yarn-on-linux)
26
27
  - debricked's [How to evaluate the security of your NPM Package dependencies](https://debricked.com/blog/2020/03/11/how-to-evaluate-the-security-of-your-npm-package-dependencies)
27
- - JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.javascriptjanuary.com/blog/open-source-from-heaven-modules-from-hell)
28
- - Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://medium.com/@liran.tal/malicious-modules-what-you-need-to-know-when-installing-npm-packages-12b2f56d3685)
28
+ - JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.lirantal.com/blog/2019-01-26)
29
+ - Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://www.lirantal.com/blog/malicious-modules-what-you-need-to-know-when-installing-npm-packages-12b2f56d3685)
29
30
 
30
31
 
31
32
  ## About
@@ -90,8 +91,10 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
90
91
  | Marshall Name | Description | Notes
91
92
  | --- | --- | ---
92
93
  | age | Will show a warning for a package if its age on npm is less than 22 days | Checks a package creation date, not a specific version
94
+ | author | Will show a warning if a package has been found without an author field | Checks the latest version for an author
93
95
  | downloads | Will show a warning for a package if its download count in the last month is less than 20
94
96
  | readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
97
+ | repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
95
98
  | scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
96
99
  | snyk | Will show a warning if a package has been found with vulnerabilities in snyk's database | For snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
97
100
  | license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
@@ -106,6 +109,12 @@ Example, to disable snyk:
106
109
  MARSHALL_DISABLE_SNYK=1 npq install express
107
110
  ```
108
111
 
112
+ ### Run checks on package without installing it:
113
+
114
+ ```sh
115
+ npq install express --dry-run
116
+ ```
117
+
109
118
  ### Using with TravisCI
110
119
 
111
120
  An example of using lockfile-lint with a `.travis.yml` configuration as part of your build:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "2.0.23",
3
+ "version": "2.1.0",
4
4
  "description": "marshall your npm/yarn package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",
@@ -172,15 +172,15 @@
172
172
  },
173
173
  "dependencies": {
174
174
  "chalk": "^2.3.0",
175
- "glob": "^7.1.7",
175
+ "glob": "^8.0.3",
176
176
  "inquirer": "^7.3.3",
177
177
  "listr": "^0.14.0",
178
- "node-fetch": "^2.6.1",
179
- "npm-package-arg": "^8.1.4",
180
- "semver": "^6.3.0",
181
- "update-notifier": "^5.0.1",
178
+ "node-fetch": "^2.6.7",
179
+ "npm-package-arg": "^10.1.0",
180
+ "semver": "^7.3.8",
181
+ "update-notifier": "^6.0.2",
182
182
  "validator": "^13.6.0",
183
- "yargs": "^16.2.0"
183
+ "yargs": "^17.6.2"
184
184
  },
185
185
  "release": {
186
186
  "branch": "master",