npq 3.14.0 → 3.15.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +49 -6
- package/bin/npq-hero.js +9 -0
- package/bin/npq.js +8 -0
- package/lib/cli.js +15 -7
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -37,9 +37,11 @@ npq install express
|
|
|
37
37
|
* Package has a LICENSE file
|
|
38
38
|
* Package has pre/post install scripts
|
|
39
39
|
|
|
40
|
-
|
|
40
|
+
**IMPORTANT**: npq by default uses an auto-continue mode when warnings are detected (no errors), waiting 15 seconds before proceeding with the installation. You can disable this behavior via the `--disable-auto-continue` CLI flag or the `NPQ_DISABLE_AUTO_CONTINUE=true` environment variable to enforce a strict review and security hardened installs. See [the auto-continue documentation](docs/feature/auto-continue.md) for more details.
|
|
41
41
|
|
|
42
|
-
|
|
42
|
+
When npq completes its signal checks it hands over the actual package install job to the package manager (npm by default, or as specified via the `NPQ_PKG_MGR` environment variable).
|
|
43
|
+
|
|
44
|
+
**DISCLAIMER**: there's no guaranteed absolute safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.
|
|
43
45
|
|
|
44
46
|
## Demo
|
|
45
47
|
|
|
@@ -81,12 +83,24 @@ If you're using `yarn`, `pnpm`, or generally want to explicitly tell npq which p
|
|
|
81
83
|
|
|
82
84
|
Examples:
|
|
83
85
|
|
|
84
|
-
**Using yarn:**
|
|
86
|
+
**Using yarn 1.x:**
|
|
85
87
|
|
|
86
88
|
```bash
|
|
87
89
|
alias yarn="NPQ_PKG_MGR=yarn npq-hero"
|
|
88
90
|
```
|
|
89
91
|
|
|
92
|
+
**Using yarn 4.x:**
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
NPQ_PKG_MGR=yarn yarn run npq-hero
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
or
|
|
99
|
+
|
|
100
|
+
```bash
|
|
101
|
+
NPQ_PKG_MGR=yarn yarn exec npq-hero
|
|
102
|
+
```
|
|
103
|
+
|
|
90
104
|
**Using pnpm:**
|
|
91
105
|
|
|
92
106
|
```bash
|
|
@@ -165,6 +179,31 @@ npq install express --dry-run
|
|
|
165
179
|
npq install express --plain
|
|
166
180
|
```
|
|
167
181
|
|
|
182
|
+
### Disable auto-continue countdown
|
|
183
|
+
|
|
184
|
+
By default, when npq detects only warnings (no errors), it automatically proceeds with installation after a 15-second countdown. To disable this behavior and always require explicit confirmation:
|
|
185
|
+
|
|
186
|
+
**Using the CLI flag:**
|
|
187
|
+
|
|
188
|
+
```sh
|
|
189
|
+
npq install express --disable-auto-continue
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
**Using the environment variable:**
|
|
193
|
+
|
|
194
|
+
```sh
|
|
195
|
+
export NPQ_DISABLE_AUTO_CONTINUE=true
|
|
196
|
+
npq install express
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
Or set it permanently in your shell profile (`.bashrc`, `.zshrc`, etc.):
|
|
200
|
+
|
|
201
|
+
```sh
|
|
202
|
+
export NPQ_DISABLE_AUTO_CONTINUE=true
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
When auto-continue is disabled, npq will always prompt for explicit confirmation before proceeding with installation, even when only warnings are detected.
|
|
206
|
+
|
|
168
207
|
## Learn Node.js Security
|
|
169
208
|
|
|
170
209
|
<div align="center">
|
|
@@ -185,17 +224,21 @@ npq install express --plain
|
|
|
185
224
|
|
|
186
225
|
## FAQ
|
|
187
226
|
|
|
188
|
-
1. **
|
|
227
|
+
1. **What is the difference between `npq` and `npq-hero`?**
|
|
228
|
+
|
|
229
|
+
* `npq` is meant to be its own stand-alone CLI so it has command line flags like `--dry-run` and others (see `npq --help`). However, when you want to alias the `npm` CLI to NPQ you should use `npq-hero` as the executable of the alias to npm (e.g: `alias npm=npq`), which means `npq-hero` can't have its own command-line flags because they could conflict with the `npm` executable.
|
|
230
|
+
|
|
231
|
+
2. **Can I use NPQ without having npm or yarn?**
|
|
189
232
|
|
|
190
233
|
* NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
|
|
191
234
|
|
|
192
|
-
|
|
235
|
+
3. **How is NPQ different from npm audit?**
|
|
193
236
|
|
|
194
237
|
* `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
|
|
195
238
|
* NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
|
|
196
239
|
* `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
|
|
197
240
|
|
|
198
|
-
|
|
241
|
+
4. **Do I require a Snyk API key in order to use NPQ?**
|
|
199
242
|
|
|
200
243
|
* It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
|
|
201
244
|
|
package/bin/npq-hero.js
CHANGED
|
@@ -14,6 +14,7 @@ const { Spinner } = require('../lib/helpers/cliSpinner')
|
|
|
14
14
|
const { promiseThrottleHelper } = require('../lib/helpers/promiseThrottler')
|
|
15
15
|
|
|
16
16
|
const PACKAGE_MANAGER_TOOL = process.env.NPQ_PKG_MGR
|
|
17
|
+
const DISABLE_AUTO_CONTINUE = process.env.NPQ_DISABLE_AUTO_CONTINUE === 'true'
|
|
17
18
|
|
|
18
19
|
const cliArgs = CliParser.parseArgsMinimal()
|
|
19
20
|
|
|
@@ -80,6 +81,14 @@ marshall
|
|
|
80
81
|
} else {
|
|
81
82
|
if (result && result.countWarnings > 0) {
|
|
82
83
|
console.log()
|
|
84
|
+
// Check if auto-continue is disabled via environment variable
|
|
85
|
+
if (DISABLE_AUTO_CONTINUE) {
|
|
86
|
+
return cliPrompt.prompt({
|
|
87
|
+
name: 'install',
|
|
88
|
+
message: 'Continue install ?',
|
|
89
|
+
default: false
|
|
90
|
+
})
|
|
91
|
+
}
|
|
83
92
|
return cliPrompt.autoContinue({
|
|
84
93
|
name: 'install',
|
|
85
94
|
message: 'Auto-continue with install in... ',
|
package/bin/npq.js
CHANGED
|
@@ -106,6 +106,14 @@ Promise.resolve()
|
|
|
106
106
|
} else {
|
|
107
107
|
if (result && result.countWarnings > 0) {
|
|
108
108
|
console.log()
|
|
109
|
+
// Check if auto-continue is disabled via CLI flag or environment variable
|
|
110
|
+
if (cliArgs.disableAutoContinue) {
|
|
111
|
+
return cliPrompt.prompt({
|
|
112
|
+
name: 'install',
|
|
113
|
+
message: 'Continue install ?',
|
|
114
|
+
default: false
|
|
115
|
+
})
|
|
116
|
+
}
|
|
109
117
|
return cliPrompt.autoContinue({
|
|
110
118
|
name: 'install',
|
|
111
119
|
message: 'Auto-continue with install in... ',
|
package/lib/cli.js
CHANGED
|
@@ -67,6 +67,7 @@ class CliParser {
|
|
|
67
67
|
plain: { type: 'boolean' },
|
|
68
68
|
packageManager: { type: 'string' },
|
|
69
69
|
pkgMgr: { type: 'string' },
|
|
70
|
+
'disable-auto-continue': { type: 'boolean' },
|
|
70
71
|
help: { type: 'boolean', short: 'h' },
|
|
71
72
|
version: { type: 'boolean', short: 'v' }
|
|
72
73
|
}
|
|
@@ -87,12 +88,17 @@ Commands:
|
|
|
87
88
|
install [package...] install a package
|
|
88
89
|
|
|
89
90
|
Options:
|
|
90
|
-
--dry-run
|
|
91
|
-
--plain
|
|
92
|
-
--packageManager
|
|
93
|
-
--pkgMgr
|
|
94
|
-
|
|
95
|
-
-
|
|
91
|
+
--dry-run Run checks only, don't install
|
|
92
|
+
--plain Force non-rich text output
|
|
93
|
+
--packageManager Package Manager to use (default: npm)
|
|
94
|
+
--pkgMgr Alias for packageManager
|
|
95
|
+
--disable-auto-continue Disable auto-continue countdown, always prompt
|
|
96
|
+
-h, --help Show help
|
|
97
|
+
-v, --version Show version
|
|
98
|
+
|
|
99
|
+
Environment Variables:
|
|
100
|
+
NPQ_PKG_MGR Package manager to use (default: npm)
|
|
101
|
+
NPQ_DISABLE_AUTO_CONTINUE Set to 'true' to disable auto-continue
|
|
96
102
|
|
|
97
103
|
Examples:
|
|
98
104
|
npq install express
|
|
@@ -114,7 +120,9 @@ curated by Liran Tal at https://github.com/lirantal/npq`)
|
|
|
114
120
|
packages: normalizedPackages,
|
|
115
121
|
packageManager: values.packageManager || values.pkgMgr || process.env.NPQ_PKG_MGR || 'npm',
|
|
116
122
|
dryRun: values['dry-run'] || false,
|
|
117
|
-
plain: values.plain || false
|
|
123
|
+
plain: values.plain || false,
|
|
124
|
+
disableAutoContinue:
|
|
125
|
+
values['disable-auto-continue'] || process.env.NPQ_DISABLE_AUTO_CONTINUE === 'true'
|
|
118
126
|
}
|
|
119
127
|
}
|
|
120
128
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "npq",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.15.1",
|
|
4
4
|
"description": "marshall your npm/npm package installs with high quality and class 🎖",
|
|
5
5
|
"bin": {
|
|
6
6
|
"npq": "./bin/npq.js",
|
|
@@ -45,7 +45,7 @@
|
|
|
45
45
|
"dependencies": {
|
|
46
46
|
"fastest-levenshtein": "^1.0.16",
|
|
47
47
|
"npm-package-arg": "^13.0.0",
|
|
48
|
-
"semver": "^7.7.
|
|
48
|
+
"semver": "^7.7.3",
|
|
49
49
|
"sigstore": "^3.1.0",
|
|
50
50
|
"ssri": "^12.0.0"
|
|
51
51
|
},
|