npq 3.11.0 → 3.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,17 +1,17 @@
1
1
  npq allows you to audit npm packages _before_ you install them
2
2
 
3
-
4
- [![npm](https://img.shields.io/npm/v/npq.svg)](https://www.npmjs.com/package/npq)
5
- [![npm](https://img.shields.io/npm/l/npq.svg)](https://www.npmjs.com/package/npq)
6
- [![codecov](https://codecov.io/gh/lirantal/npq/branch/main/graph/badge.svg)](https://codecov.io/gh/lirantal/npq)
7
- [![CI](https://github.com/lirantal/npq/actions/workflows/main.yml/badge.svg)](https://github.com/lirantal/npq/actions/workflows/main.yml)
3
+ [![npm](https://img.shields.io/npm/v/npq)](https://www.npmjs.com/package/npq)
4
+ [![license](https://img.shields.io/npm/l/npq)](LICENSE)
5
+ [![codecov](https://img.shields.io/codecov/c/gh/lirantal/npq/main)](https://codecov.io/gh/lirantal/npq)
6
+ [![CI](https://img.shields.io/github/actions/workflow/status/lirantal/npq/main.yml?branch=main&label=CI&logo=github)](https://github.com/lirantal/npq/actions/workflows/main.yml?query=branch%3Amain)
8
7
  [![Known Vulnerabilities](https://snyk.io/test/github/lirantal/npq/badge.svg)](https://snyk.io/test/github/lirantal/npq)
9
- [![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](./SECURITY.md)
8
+ [![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow)](SECURITY.md)
10
9
 
11
- ![npq demo screenshot](https://github.com/user-attachments/assets/a201d041-2ce2-4e2d-b066-1395078a83e3)
10
+ ![npq demo screenshot](.github/npq.png)
12
11
 
13
12
  Media coverage about npq:
14
- - As mentioned on [Thomas Gentilhomme](https://github.com/fraxken)'s French book of [Become a Node.js Developer](https://docs.google.com/document/d/1JHgmEFkc8Py4XSuCB8_DQ5FFEJoogyeninFK6ucTd4o/edit#)
13
+
14
+ - As mentioned on [Thomas Gentilhomme](https://github.com/fraxken)'s French book of [Become a Node.js Developer](https://docs.google.com/document/d/1JHgmEFkc8Py4XSuCB8_DQ5FFEJoogyeninFK6ucTd4o/edit#)
15
15
  - Tao Bojlén's [A web of trust for npm](https://www.btao.org/2020/10/02/npm-trust.html)
16
16
  - Zander's [favorite list of command line tools](https://zander.wtf/blog/terminal-commands)
17
17
  - Ran Bar Zik's [npq review to install safe modules](https://internet-israel.com/%D7%A4%D7%99%D7%AA%D7%95%D7%97-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%91%D7%A0%D7%99%D7%99%D7%AA-%D7%90%D7%AA%D7%A8%D7%99-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98-%D7%9C%D7%9E%D7%A4%D7%AA%D7%97%D7%99%D7%9D/%D7%91%D7%93%D7%99%D7%A7%D7%94-%D7%A2%D7%9D-npq-%D7%9B%D7%93%D7%99-%D7%9C%D7%95%D7%95%D7%93%D7%90-%D7%94%D7%AA%D7%A7%D7%A0%D7%94-%D7%AA%D7%A7%D7%99%D7%A0%D7%94-%D7%A9%D7%9C-%D7%9E%D7%95%D7%93%D7%95/)
@@ -43,7 +43,7 @@ DISCLAIMER: there's no guaranteed absolute safety; a malicious or vulnerable pac
43
43
 
44
44
  ## Demo
45
45
 
46
- https://github.com/user-attachments/assets/619ab3f6-aa3f-483c-9560-0f18e033e6bf
46
+ <https://github.com/user-attachments/assets/619ab3f6-aa3f-483c-9560-0f18e033e6bf>
47
47
 
48
48
  ## Install
49
49
 
@@ -55,7 +55,7 @@ npm install -g npq
55
55
 
56
56
  ## Usage
57
57
 
58
- ### Install packages with npq:
58
+ ### Install packages with npq
59
59
 
60
60
  ```bash
61
61
  npq install express
@@ -76,16 +76,19 @@ If you're using `yarn`, `pnpm`, or generally want to explicitly tell npq which p
76
76
  Examples:
77
77
 
78
78
  **Using yarn:**
79
+
79
80
  ```bash
80
81
  alias yarn="NPQ_PKG_MGR=yarn npq-hero"
81
82
  ```
82
83
 
83
84
  **Using pnpm:**
85
+
84
86
  ```bash
85
87
  NPQ_PKG_MGR=pnpm npx npq install fastify
86
88
  ```
87
89
 
88
90
  **Using pnpm with alias:**
91
+
89
92
  ```bash
90
93
  alias pnpm="NPQ_PKG_MGR=pnpm npq-hero"
91
94
  ```
@@ -102,24 +105,23 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
102
105
  | readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
103
106
  | repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
104
107
  | scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
105
- | snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
108
+ | snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid API token, or make the token available in the `SNYK_TOKEN` environment variable, and npq will use it
106
109
  | license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
107
110
  | expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
108
- | signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
111
+ | signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
109
112
  | provenance | Will verify the package's attestations of provenance metadata for the published package
110
113
  | version-maturity | Will show a warning if the specific version being installed was published less than 7 days ago | Helps identify recently published versions that may not have been reviewed by the community yet
111
114
  | newBin | Will show a warning if the package version being installed introduces a new command-line binary (via the `bin` field in `package.json`) that was not present in its previous version. | Helps identify potentially unexpected new executables being added to your `node_modules/.bin/` directory.
112
115
  | typosquatting | Will show a warning if the package name is similar to a popular package name, which could indicate a potential typosquatting attack. | Helps identify packages that may be trying to trick users into installing them by mimicking popular package names.
113
116
  | deprecation | Will show a warning if the package version being installed is deprecated. | Helps identify packages that are no longer maintained or recommended for use.
114
117
 
115
-
116
118
  ### Disabling Marshalls
117
119
 
118
120
  To disable a marshall altogether, set an environment variable using with the marshall's shortname.
119
121
 
120
122
  Example, to disable the Snyk vulnerability marshall:
121
123
 
122
- ```
124
+ ```bash
123
125
  MARSHALL_DISABLE_SNYK=1 npq install express
124
126
  ```
125
127
 
@@ -127,30 +129,30 @@ MARSHALL_DISABLE_SNYK=1 npq install express
127
129
 
128
130
  Here are all the available environment variable names for disabling specific marshalls:
129
131
 
130
- | Marshall Name | Environment Variable | Description |
131
- | --- | --- | --- |
132
- | age | `MARSHALL_DISABLE_AGE` | Disable package age checks |
133
- | author | `MARSHALL_DISABLE_AUTHOR` | Disable package author verification |
134
- | downloads | `MARSHALL_DISABLE_DOWNLOADS` | Disable download count checks |
135
- | expired domains | `MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS` | Disable expired domain checks for maintainer emails |
136
- | license | `MARSHALL_DISABLE_LICENSE` | Disable license availability checks |
137
- | provenance | `MARSHALL_DISABLE_PROVENANCE` | Disable package provenance verification |
138
- | repo | `MARSHALL_DISABLE_REPO` | Disable repository URL validation |
139
- | scripts | `MARSHALL_DISABLE_SCRIPTS` | Disable pre/post install script checks |
140
- | signatures | `MARSHALL_DISABLE_SIGNATURES` | Disable registry signature verification |
141
- | snyk | `MARSHALL_DISABLE_SNYK` | Disable Snyk vulnerability checks |
142
- | typosquatting | `MARSHALL_DISABLE_TYPOSQUATTING` | Disable typosquatting detection |
143
- | version-maturity | `MARSHALL_DISABLE_VERSION_MATURITY` | Disable version maturity checks |
144
- | newBin | `MARSHALL_DISABLE_NEWBIN` | Disable new binary introduction checks |
145
- | deprecation | `MARSHALL_DISABLE_DEPRECATION` | Disable deprecation checks |
146
-
147
- ### Run checks on package without installing it:
132
+ | Marshall Name | Environment Variable | Description |
133
+ |------------------|-----------------------------------------------|-----------------------------------------------------|
134
+ | age | `MARSHALL_DISABLE_AGE` | Disable package age checks |
135
+ | author | `MARSHALL_DISABLE_AUTHOR` | Disable package author verification |
136
+ | downloads | `MARSHALL_DISABLE_DOWNLOADS` | Disable download count checks |
137
+ | expired domains | `MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS` | Disable expired domain checks for maintainer emails |
138
+ | license | `MARSHALL_DISABLE_LICENSE` | Disable license availability checks |
139
+ | provenance | `MARSHALL_DISABLE_PROVENANCE` | Disable package provenance verification |
140
+ | repo | `MARSHALL_DISABLE_REPO` | Disable repository URL validation |
141
+ | scripts | `MARSHALL_DISABLE_SCRIPTS` | Disable pre/post install script checks |
142
+ | signatures | `MARSHALL_DISABLE_SIGNATURES` | Disable registry signature verification |
143
+ | snyk | `MARSHALL_DISABLE_SNYK` | Disable Snyk vulnerability checks |
144
+ | typosquatting | `MARSHALL_DISABLE_TYPOSQUATTING` | Disable typosquatting detection |
145
+ | version-maturity | `MARSHALL_DISABLE_VERSION_MATURITY` | Disable version maturity checks |
146
+ | newBin | `MARSHALL_DISABLE_NEWBIN` | Disable new binary introduction checks |
147
+ | deprecation | `MARSHALL_DISABLE_DEPRECATION` | Disable deprecation checks |
148
+
149
+ ### Run checks on package without installing it
148
150
 
149
151
  ```sh
150
152
  npq install express --dry-run
151
153
  ```
152
154
 
153
- ### Force non-rich text output:
155
+ ### Force non-rich text output
154
156
 
155
157
  ```sh
156
158
  npq install express --plain
@@ -166,7 +168,7 @@ npq install express --plain
166
168
  </a>
167
169
  </p>
168
170
 
169
- ![Screenshot 2024-09-12 at 20 14 27](https://github.com/user-attachments/assets/586f3151-eed9-4542-92f1-de9237f6783c)
171
+ ![Screenshot 2024-09-12 at 20 14 27](.github/nodejs-security-screenshot.png)
170
172
 
171
173
  <p>
172
174
  Learn Node.js Secure Coding techniques and best practices from <a href="https://www.lirantal.com">Liran Tal</a>
@@ -175,18 +177,25 @@ npq install express --plain
175
177
  </div>
176
178
 
177
179
  ## FAQ
180
+
178
181
  1. **Can I use NPQ without having npm or yarn?**
182
+
179
183
  * NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
184
+
180
185
  2. **How is NPQ different from npm audit?**
186
+
181
187
  * `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
182
188
  * NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
183
189
  * `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
190
+
184
191
  3. **Do I require a Snyk API key in order to use NPQ?**
192
+
185
193
  * It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
186
194
 
187
195
  ## Contributing
188
196
 
189
- Please consult the [CONTRIBUTING](https://github.com/lirantal/npq/blob/main/CONTRIBUTING.md) for guidelines on contributing to this project
197
+ Please consult the [CONTRIBUTING](CONTRIBUTING.md) for guidelines on contributing to this project
190
198
 
191
199
  ## Author
200
+
192
201
  Liran Tal <liran.tal@gmail.com>
@@ -52,7 +52,7 @@ class PackageRepoUtils {
52
52
  return semver.coerce(version)
53
53
  }
54
54
 
55
- async isPackageInAllowList(packageName) {
55
+ isPackageInAllowList(packageName) {
56
56
  const allowList = ['npq', 'ai', 'bun', 'deno']
57
57
  return allowList.includes(packageName)
58
58
  }
@@ -267,7 +267,7 @@ function marshallResultsToIssuesPerPackage(results) {
267
267
  warnings: []
268
268
  }
269
269
  for (const marshall of allMarshallResultsList) {
270
- for (const [key, value] of Object.entries(marshall)) {
270
+ for (const value of Object.values(marshall)) {
271
271
  if (value.errors && value.errors.length > 0) {
272
272
  const marshallErrors = value.errors.map((error) => {
273
273
  return {
@@ -55,7 +55,7 @@ class Marshall extends BaseMarshall {
55
55
 
56
56
  let firstVersionForUser = null
57
57
  const versionPublishedDateString = pakument.time[packageVersion]
58
- for (const [version, versionMetadata] of Object.entries(pakument.versions)) {
58
+ for (const versionMetadata of Object.values(pakument.versions)) {
59
59
  if (versionMetadata._npmUser && versionMetadata._npmUser.email === npmUser.email) {
60
60
  firstVersionForUser = versionMetadata
61
61
  break
@@ -22,7 +22,7 @@ class Marshall extends BaseMarshall {
22
22
  throw new Error('Package has no LICENSE file available')
23
23
  }
24
24
 
25
- if (licenseContents && licenseContents.indexOf('# Security holding package') === 0) {
25
+ if (licenseContents.indexOf('# Security holding package') === 0) {
26
26
  throw new Error('Package flagged for security issues and served as place-holder')
27
27
  }
28
28
 
@@ -1,6 +1,6 @@
1
1
  'use strict'
2
2
 
3
- const semver = require('semver')
3
+ // const semver = require('semver')
4
4
  const BaseMarshall = require('./baseMarshall')
5
5
  const pacote = require('pacote')
6
6
  const Warning = require('../helpers/warning')
@@ -2,7 +2,6 @@
2
2
 
3
3
  const BaseMarshall = require('./baseMarshall')
4
4
  const Warning = require('../helpers/warning')
5
- const util = require('util')
6
5
  const pacote = require('pacote')
7
6
  const { marshallCategories } = require('./constants')
8
7
 
@@ -52,7 +52,7 @@ class Marshall extends BaseMarshall {
52
52
  throw new Error('Unable to query vulnerabilities for packages')
53
53
  }
54
54
 
55
- if (data && data.issuesCount && data.issuesCount > 0) {
55
+ if (data.issuesCount && data.issuesCount > 0) {
56
56
  if (this.snykApiToken) {
57
57
  const packageSecurityInfo = `${SNYK_PACKAGE_PAGE}${encodeURIComponent(pkg.packageName)}`
58
58
  if (data.isMaliciousPackage) {
@@ -22,7 +22,7 @@ class Marshall extends BaseMarshall {
22
22
  throw new Error('Package has no README file available')
23
23
  }
24
24
 
25
- if (readmeContents && readmeContents.indexOf('# Security holding package') === 0) {
25
+ if (readmeContents.indexOf('# Security holding package') === 0) {
26
26
  throw new Error('Package flagged for security issues and served as place-holder')
27
27
  }
28
28
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "3.11.0",
3
+ "version": "3.11.1",
4
4
  "description": "marshall your npm/npm package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",
package/scripts/build.js CHANGED
@@ -18,7 +18,6 @@ async function saveTopPackagesToFile() {
18
18
  }
19
19
 
20
20
  async function main() {
21
- const topPackages = await downloadTopPackages()
22
21
  await saveTopPackagesToFile()
23
22
  }
24
23