npq 3.11.0 → 3.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +44 -35
- package/lib/helpers/packageRepoUtils.js +1 -1
- package/lib/helpers/reportResults.js +1 -1
- package/lib/marshalls/author.marshall.js +1 -1
- package/lib/marshalls/license.marshall.js +1 -1
- package/lib/marshalls/provenance.marshall.js +1 -1
- package/lib/marshalls/signatures.marshall.js +0 -1
- package/lib/marshalls/snyk.marshall.js +1 -1
- package/lib/marshallsDecomissioned/readme.marshall.js +1 -1
- package/package.json +1 -1
- package/scripts/build.js +0 -1
package/README.md
CHANGED
|
@@ -1,17 +1,17 @@
|
|
|
1
1
|
npq allows you to audit npm packages _before_ you install them
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
[](https://github.com/lirantal/npq/actions/workflows/main.yml)
|
|
3
|
+
[](https://www.npmjs.com/package/npq)
|
|
4
|
+
[](LICENSE)
|
|
5
|
+
[](https://codecov.io/gh/lirantal/npq)
|
|
6
|
+
[](https://github.com/lirantal/npq/actions/workflows/main.yml?query=branch%3Amain)
|
|
8
7
|
[](https://snyk.io/test/github/lirantal/npq)
|
|
9
|
-
[](SECURITY.md)
|
|
10
9
|
|
|
11
|
-

|
|
12
11
|
|
|
13
12
|
Media coverage about npq:
|
|
14
|
-
|
|
13
|
+
|
|
14
|
+
- As mentioned on [Thomas Gentilhomme](https://github.com/fraxken)'s French book of [Become a Node.js Developer](https://docs.google.com/document/d/1JHgmEFkc8Py4XSuCB8_DQ5FFEJoogyeninFK6ucTd4o/edit#)
|
|
15
15
|
- Tao Bojlén's [A web of trust for npm](https://www.btao.org/2020/10/02/npm-trust.html)
|
|
16
16
|
- Zander's [favorite list of command line tools](https://zander.wtf/blog/terminal-commands)
|
|
17
17
|
- Ran Bar Zik's [npq review to install safe modules](https://internet-israel.com/%D7%A4%D7%99%D7%AA%D7%95%D7%97-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%91%D7%A0%D7%99%D7%99%D7%AA-%D7%90%D7%AA%D7%A8%D7%99-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98-%D7%9C%D7%9E%D7%A4%D7%AA%D7%97%D7%99%D7%9D/%D7%91%D7%93%D7%99%D7%A7%D7%94-%D7%A2%D7%9D-npq-%D7%9B%D7%93%D7%99-%D7%9C%D7%95%D7%95%D7%93%D7%90-%D7%94%D7%AA%D7%A7%D7%A0%D7%94-%D7%AA%D7%A7%D7%99%D7%A0%D7%94-%D7%A9%D7%9C-%D7%9E%D7%95%D7%93%D7%95/)
|
|
@@ -43,7 +43,7 @@ DISCLAIMER: there's no guaranteed absolute safety; a malicious or vulnerable pac
|
|
|
43
43
|
|
|
44
44
|
## Demo
|
|
45
45
|
|
|
46
|
-
https://github.com/user-attachments/assets/619ab3f6-aa3f-483c-9560-0f18e033e6bf
|
|
46
|
+
<https://github.com/user-attachments/assets/619ab3f6-aa3f-483c-9560-0f18e033e6bf>
|
|
47
47
|
|
|
48
48
|
## Install
|
|
49
49
|
|
|
@@ -55,7 +55,7 @@ npm install -g npq
|
|
|
55
55
|
|
|
56
56
|
## Usage
|
|
57
57
|
|
|
58
|
-
### Install packages with npq
|
|
58
|
+
### Install packages with npq
|
|
59
59
|
|
|
60
60
|
```bash
|
|
61
61
|
npq install express
|
|
@@ -76,16 +76,19 @@ If you're using `yarn`, `pnpm`, or generally want to explicitly tell npq which p
|
|
|
76
76
|
Examples:
|
|
77
77
|
|
|
78
78
|
**Using yarn:**
|
|
79
|
+
|
|
79
80
|
```bash
|
|
80
81
|
alias yarn="NPQ_PKG_MGR=yarn npq-hero"
|
|
81
82
|
```
|
|
82
83
|
|
|
83
84
|
**Using pnpm:**
|
|
85
|
+
|
|
84
86
|
```bash
|
|
85
87
|
NPQ_PKG_MGR=pnpm npx npq install fastify
|
|
86
88
|
```
|
|
87
89
|
|
|
88
90
|
**Using pnpm with alias:**
|
|
91
|
+
|
|
89
92
|
```bash
|
|
90
93
|
alias pnpm="NPQ_PKG_MGR=pnpm npq-hero"
|
|
91
94
|
```
|
|
@@ -102,24 +105,23 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
|
|
|
102
105
|
| readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
|
|
103
106
|
| repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
|
|
104
107
|
| scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
|
|
105
|
-
| snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid
|
|
108
|
+
| snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid API token, or make the token available in the `SNYK_TOKEN` environment variable, and npq will use it
|
|
106
109
|
| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
|
|
107
110
|
| expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
|
|
108
|
-
| signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
|
|
111
|
+
| signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
|
|
109
112
|
| provenance | Will verify the package's attestations of provenance metadata for the published package
|
|
110
113
|
| version-maturity | Will show a warning if the specific version being installed was published less than 7 days ago | Helps identify recently published versions that may not have been reviewed by the community yet
|
|
111
114
|
| newBin | Will show a warning if the package version being installed introduces a new command-line binary (via the `bin` field in `package.json`) that was not present in its previous version. | Helps identify potentially unexpected new executables being added to your `node_modules/.bin/` directory.
|
|
112
115
|
| typosquatting | Will show a warning if the package name is similar to a popular package name, which could indicate a potential typosquatting attack. | Helps identify packages that may be trying to trick users into installing them by mimicking popular package names.
|
|
113
116
|
| deprecation | Will show a warning if the package version being installed is deprecated. | Helps identify packages that are no longer maintained or recommended for use.
|
|
114
117
|
|
|
115
|
-
|
|
116
118
|
### Disabling Marshalls
|
|
117
119
|
|
|
118
120
|
To disable a marshall altogether, set an environment variable using with the marshall's shortname.
|
|
119
121
|
|
|
120
122
|
Example, to disable the Snyk vulnerability marshall:
|
|
121
123
|
|
|
122
|
-
```
|
|
124
|
+
```bash
|
|
123
125
|
MARSHALL_DISABLE_SNYK=1 npq install express
|
|
124
126
|
```
|
|
125
127
|
|
|
@@ -127,30 +129,30 @@ MARSHALL_DISABLE_SNYK=1 npq install express
|
|
|
127
129
|
|
|
128
130
|
Here are all the available environment variable names for disabling specific marshalls:
|
|
129
131
|
|
|
130
|
-
| Marshall Name
|
|
131
|
-
|
|
132
|
-
| age
|
|
133
|
-
| author
|
|
134
|
-
| downloads
|
|
135
|
-
| expired domains
|
|
136
|
-
| license
|
|
137
|
-
| provenance
|
|
138
|
-
| repo
|
|
139
|
-
| scripts
|
|
140
|
-
| signatures
|
|
141
|
-
| snyk
|
|
142
|
-
| typosquatting
|
|
143
|
-
| version-maturity | `MARSHALL_DISABLE_VERSION_MATURITY`
|
|
144
|
-
| newBin
|
|
145
|
-
| deprecation
|
|
146
|
-
|
|
147
|
-
### Run checks on package without installing it
|
|
132
|
+
| Marshall Name | Environment Variable | Description |
|
|
133
|
+
|------------------|-----------------------------------------------|-----------------------------------------------------|
|
|
134
|
+
| age | `MARSHALL_DISABLE_AGE` | Disable package age checks |
|
|
135
|
+
| author | `MARSHALL_DISABLE_AUTHOR` | Disable package author verification |
|
|
136
|
+
| downloads | `MARSHALL_DISABLE_DOWNLOADS` | Disable download count checks |
|
|
137
|
+
| expired domains | `MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS` | Disable expired domain checks for maintainer emails |
|
|
138
|
+
| license | `MARSHALL_DISABLE_LICENSE` | Disable license availability checks |
|
|
139
|
+
| provenance | `MARSHALL_DISABLE_PROVENANCE` | Disable package provenance verification |
|
|
140
|
+
| repo | `MARSHALL_DISABLE_REPO` | Disable repository URL validation |
|
|
141
|
+
| scripts | `MARSHALL_DISABLE_SCRIPTS` | Disable pre/post install script checks |
|
|
142
|
+
| signatures | `MARSHALL_DISABLE_SIGNATURES` | Disable registry signature verification |
|
|
143
|
+
| snyk | `MARSHALL_DISABLE_SNYK` | Disable Snyk vulnerability checks |
|
|
144
|
+
| typosquatting | `MARSHALL_DISABLE_TYPOSQUATTING` | Disable typosquatting detection |
|
|
145
|
+
| version-maturity | `MARSHALL_DISABLE_VERSION_MATURITY` | Disable version maturity checks |
|
|
146
|
+
| newBin | `MARSHALL_DISABLE_NEWBIN` | Disable new binary introduction checks |
|
|
147
|
+
| deprecation | `MARSHALL_DISABLE_DEPRECATION` | Disable deprecation checks |
|
|
148
|
+
|
|
149
|
+
### Run checks on package without installing it
|
|
148
150
|
|
|
149
151
|
```sh
|
|
150
152
|
npq install express --dry-run
|
|
151
153
|
```
|
|
152
154
|
|
|
153
|
-
### Force non-rich text output
|
|
155
|
+
### Force non-rich text output
|
|
154
156
|
|
|
155
157
|
```sh
|
|
156
158
|
npq install express --plain
|
|
@@ -166,7 +168,7 @@ npq install express --plain
|
|
|
166
168
|
</a>
|
|
167
169
|
</p>
|
|
168
170
|
|
|
169
|
-

|
|
170
172
|
|
|
171
173
|
<p>
|
|
172
174
|
Learn Node.js Secure Coding techniques and best practices from <a href="https://www.lirantal.com">Liran Tal</a>
|
|
@@ -175,18 +177,25 @@ npq install express --plain
|
|
|
175
177
|
</div>
|
|
176
178
|
|
|
177
179
|
## FAQ
|
|
180
|
+
|
|
178
181
|
1. **Can I use NPQ without having npm or yarn?**
|
|
182
|
+
|
|
179
183
|
* NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
|
|
184
|
+
|
|
180
185
|
2. **How is NPQ different from npm audit?**
|
|
186
|
+
|
|
181
187
|
* `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
|
|
182
188
|
* NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
|
|
183
189
|
* `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
|
|
190
|
+
|
|
184
191
|
3. **Do I require a Snyk API key in order to use NPQ?**
|
|
192
|
+
|
|
185
193
|
* It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
|
|
186
194
|
|
|
187
195
|
## Contributing
|
|
188
196
|
|
|
189
|
-
Please consult the [CONTRIBUTING](
|
|
197
|
+
Please consult the [CONTRIBUTING](CONTRIBUTING.md) for guidelines on contributing to this project
|
|
190
198
|
|
|
191
199
|
## Author
|
|
200
|
+
|
|
192
201
|
Liran Tal <liran.tal@gmail.com>
|
|
@@ -267,7 +267,7 @@ function marshallResultsToIssuesPerPackage(results) {
|
|
|
267
267
|
warnings: []
|
|
268
268
|
}
|
|
269
269
|
for (const marshall of allMarshallResultsList) {
|
|
270
|
-
for (const
|
|
270
|
+
for (const value of Object.values(marshall)) {
|
|
271
271
|
if (value.errors && value.errors.length > 0) {
|
|
272
272
|
const marshallErrors = value.errors.map((error) => {
|
|
273
273
|
return {
|
|
@@ -55,7 +55,7 @@ class Marshall extends BaseMarshall {
|
|
|
55
55
|
|
|
56
56
|
let firstVersionForUser = null
|
|
57
57
|
const versionPublishedDateString = pakument.time[packageVersion]
|
|
58
|
-
for (const
|
|
58
|
+
for (const versionMetadata of Object.values(pakument.versions)) {
|
|
59
59
|
if (versionMetadata._npmUser && versionMetadata._npmUser.email === npmUser.email) {
|
|
60
60
|
firstVersionForUser = versionMetadata
|
|
61
61
|
break
|
|
@@ -22,7 +22,7 @@ class Marshall extends BaseMarshall {
|
|
|
22
22
|
throw new Error('Package has no LICENSE file available')
|
|
23
23
|
}
|
|
24
24
|
|
|
25
|
-
if (licenseContents
|
|
25
|
+
if (licenseContents.indexOf('# Security holding package') === 0) {
|
|
26
26
|
throw new Error('Package flagged for security issues and served as place-holder')
|
|
27
27
|
}
|
|
28
28
|
|
|
@@ -52,7 +52,7 @@ class Marshall extends BaseMarshall {
|
|
|
52
52
|
throw new Error('Unable to query vulnerabilities for packages')
|
|
53
53
|
}
|
|
54
54
|
|
|
55
|
-
if (data
|
|
55
|
+
if (data.issuesCount && data.issuesCount > 0) {
|
|
56
56
|
if (this.snykApiToken) {
|
|
57
57
|
const packageSecurityInfo = `${SNYK_PACKAGE_PAGE}${encodeURIComponent(pkg.packageName)}`
|
|
58
58
|
if (data.isMaliciousPackage) {
|
|
@@ -22,7 +22,7 @@ class Marshall extends BaseMarshall {
|
|
|
22
22
|
throw new Error('Package has no README file available')
|
|
23
23
|
}
|
|
24
24
|
|
|
25
|
-
if (readmeContents
|
|
25
|
+
if (readmeContents.indexOf('# Security holding package') === 0) {
|
|
26
26
|
throw new Error('Package flagged for security issues and served as place-holder')
|
|
27
27
|
}
|
|
28
28
|
|
package/package.json
CHANGED