npq 3.14.0 → 3.15.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -37,9 +37,11 @@ npq install express
37
37
  * Package has a LICENSE file
38
38
  * Package has pre/post install scripts
39
39
 
40
- If npq is prompted to continue with the install, it simply hands over the actual package install job to the package manager (npm by default, or as specified via the `NPQ_PKG_MGR` environment variable). Note that if a package manager is specified via command-line options, it will override the `NPQ_PKG_MGR` environment variable.
40
+ **IMPORTANT**: npq by default uses an auto-continue mode when warnings are detected (no errors), waiting 15 seconds before proceeding with the installation. You can disable this behavior via the `--disable-auto-continue` CLI flag or the `NPQ_DISABLE_AUTO_CONTINUE=true` environment variable to enforce a strict review and security hardened installs. See [the auto-continue documentation](docs/feature/auto-continue.md) for more details.
41
41
 
42
- DISCLAIMER: there's no guaranteed absolute safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.
42
+ When npq completes its signal checks it hands over the actual package install job to the package manager (npm by default, or as specified via the `NPQ_PKG_MGR` environment variable).
43
+
44
+ **DISCLAIMER**: there's no guaranteed absolute safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.
43
45
 
44
46
  ## Demo
45
47
 
@@ -81,12 +83,24 @@ If you're using `yarn`, `pnpm`, or generally want to explicitly tell npq which p
81
83
 
82
84
  Examples:
83
85
 
84
- **Using yarn:**
86
+ **Using yarn 1.x:**
85
87
 
86
88
  ```bash
87
89
  alias yarn="NPQ_PKG_MGR=yarn npq-hero"
88
90
  ```
89
91
 
92
+ **Using yarn 4.x:**
93
+
94
+ ```bash
95
+ NPQ_PKG_MGR=yarn yarn run npq-hero
96
+ ```
97
+
98
+ or
99
+
100
+ ```bash
101
+ NPQ_PKG_MGR=yarn yarn exec npq-hero
102
+ ```
103
+
90
104
  **Using pnpm:**
91
105
 
92
106
  ```bash
@@ -165,6 +179,31 @@ npq install express --dry-run
165
179
  npq install express --plain
166
180
  ```
167
181
 
182
+ ### Disable auto-continue countdown
183
+
184
+ By default, when npq detects only warnings (no errors), it automatically proceeds with installation after a 15-second countdown. To disable this behavior and always require explicit confirmation:
185
+
186
+ **Using the CLI flag:**
187
+
188
+ ```sh
189
+ npq install express --disable-auto-continue
190
+ ```
191
+
192
+ **Using the environment variable:**
193
+
194
+ ```sh
195
+ export NPQ_DISABLE_AUTO_CONTINUE=true
196
+ npq install express
197
+ ```
198
+
199
+ Or set it permanently in your shell profile (`.bashrc`, `.zshrc`, etc.):
200
+
201
+ ```sh
202
+ export NPQ_DISABLE_AUTO_CONTINUE=true
203
+ ```
204
+
205
+ When auto-continue is disabled, npq will always prompt for explicit confirmation before proceeding with installation, even when only warnings are detected.
206
+
168
207
  ## Learn Node.js Security
169
208
 
170
209
  <div align="center">
@@ -185,17 +224,21 @@ npq install express --plain
185
224
 
186
225
  ## FAQ
187
226
 
188
- 1. **Can I use NPQ without having npm or yarn?**
227
+ 1. **What is the difference between `npq` and `npq-hero`?**
228
+
229
+ * `npq` is meant to be its own stand-alone CLI so it has command line flags like `--dry-run` and others (see `npq --help`). However, when you want to alias the `npm` CLI to NPQ you should use `npq-hero` as the executable of the alias to npm (e.g: `alias npm=npq`), which means `npq-hero` can't have its own command-line flags because they could conflict with the `npm` executable.
230
+
231
+ 2. **Can I use NPQ without having npm or yarn?**
189
232
 
190
233
  * NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
191
234
 
192
- 2. **How is NPQ different from npm audit?**
235
+ 3. **How is NPQ different from npm audit?**
193
236
 
194
237
  * `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
195
238
  * NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
196
239
  * `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
197
240
 
198
- 3. **Do I require a Snyk API key in order to use NPQ?**
241
+ 4. **Do I require a Snyk API key in order to use NPQ?**
199
242
 
200
243
  * It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
201
244
 
package/bin/npq-hero.js CHANGED
@@ -14,6 +14,7 @@ const { Spinner } = require('../lib/helpers/cliSpinner')
14
14
  const { promiseThrottleHelper } = require('../lib/helpers/promiseThrottler')
15
15
 
16
16
  const PACKAGE_MANAGER_TOOL = process.env.NPQ_PKG_MGR
17
+ const DISABLE_AUTO_CONTINUE = process.env.NPQ_DISABLE_AUTO_CONTINUE === 'true'
17
18
 
18
19
  const cliArgs = CliParser.parseArgsMinimal()
19
20
 
@@ -80,6 +81,14 @@ marshall
80
81
  } else {
81
82
  if (result && result.countWarnings > 0) {
82
83
  console.log()
84
+ // Check if auto-continue is disabled via environment variable
85
+ if (DISABLE_AUTO_CONTINUE) {
86
+ return cliPrompt.prompt({
87
+ name: 'install',
88
+ message: 'Continue install ?',
89
+ default: false
90
+ })
91
+ }
83
92
  return cliPrompt.autoContinue({
84
93
  name: 'install',
85
94
  message: 'Auto-continue with install in... ',
package/bin/npq.js CHANGED
@@ -106,6 +106,14 @@ Promise.resolve()
106
106
  } else {
107
107
  if (result && result.countWarnings > 0) {
108
108
  console.log()
109
+ // Check if auto-continue is disabled via CLI flag or environment variable
110
+ if (cliArgs.disableAutoContinue) {
111
+ return cliPrompt.prompt({
112
+ name: 'install',
113
+ message: 'Continue install ?',
114
+ default: false
115
+ })
116
+ }
109
117
  return cliPrompt.autoContinue({
110
118
  name: 'install',
111
119
  message: 'Auto-continue with install in... ',
package/lib/cli.js CHANGED
@@ -67,6 +67,7 @@ class CliParser {
67
67
  plain: { type: 'boolean' },
68
68
  packageManager: { type: 'string' },
69
69
  pkgMgr: { type: 'string' },
70
+ 'disable-auto-continue': { type: 'boolean' },
70
71
  help: { type: 'boolean', short: 'h' },
71
72
  version: { type: 'boolean', short: 'v' }
72
73
  }
@@ -87,12 +88,17 @@ Commands:
87
88
  install [package...] install a package
88
89
 
89
90
  Options:
90
- --dry-run Run checks only, don't install
91
- --plain Force non-rich text output
92
- --packageManager Package Manager to use (default: npm)
93
- --pkgMgr Alias for packageManager
94
- -h, --help Show help
95
- -v, --version Show version
91
+ --dry-run Run checks only, don't install
92
+ --plain Force non-rich text output
93
+ --packageManager Package Manager to use (default: npm)
94
+ --pkgMgr Alias for packageManager
95
+ --disable-auto-continue Disable auto-continue countdown, always prompt
96
+ -h, --help Show help
97
+ -v, --version Show version
98
+
99
+ Environment Variables:
100
+ NPQ_PKG_MGR Package manager to use (default: npm)
101
+ NPQ_DISABLE_AUTO_CONTINUE Set to 'true' to disable auto-continue
96
102
 
97
103
  Examples:
98
104
  npq install express
@@ -114,7 +120,9 @@ curated by Liran Tal at https://github.com/lirantal/npq`)
114
120
  packages: normalizedPackages,
115
121
  packageManager: values.packageManager || values.pkgMgr || process.env.NPQ_PKG_MGR || 'npm',
116
122
  dryRun: values['dry-run'] || false,
117
- plain: values.plain || false
123
+ plain: values.plain || false,
124
+ disableAutoContinue:
125
+ values['disable-auto-continue'] || process.env.NPQ_DISABLE_AUTO_CONTINUE === 'true'
118
126
  }
119
127
  }
120
128
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "3.14.0",
3
+ "version": "3.15.1",
4
4
  "description": "marshall your npm/npm package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",
@@ -45,7 +45,7 @@
45
45
  "dependencies": {
46
46
  "fastest-levenshtein": "^1.0.16",
47
47
  "npm-package-arg": "^13.0.0",
48
- "semver": "^7.7.2",
48
+ "semver": "^7.7.3",
49
49
  "sigstore": "^3.1.0",
50
50
  "ssri": "^12.0.0"
51
51
  },