npq 3.15.0 → 3.15.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +24 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -83,12 +83,24 @@ If you're using `yarn`, `pnpm`, or generally want to explicitly tell npq which p
|
|
|
83
83
|
|
|
84
84
|
Examples:
|
|
85
85
|
|
|
86
|
-
**Using yarn:**
|
|
86
|
+
**Using yarn 1.x:**
|
|
87
87
|
|
|
88
88
|
```bash
|
|
89
89
|
alias yarn="NPQ_PKG_MGR=yarn npq-hero"
|
|
90
90
|
```
|
|
91
91
|
|
|
92
|
+
**Using yarn 4.x:**
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
NPQ_PKG_MGR=yarn yarn run npq-hero
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
or
|
|
99
|
+
|
|
100
|
+
```bash
|
|
101
|
+
NPQ_PKG_MGR=yarn yarn exec npq-hero
|
|
102
|
+
```
|
|
103
|
+
|
|
92
104
|
**Using pnpm:**
|
|
93
105
|
|
|
94
106
|
```bash
|
|
@@ -212,20 +224,28 @@ When auto-continue is disabled, npq will always prompt for explicit confirmation
|
|
|
212
224
|
|
|
213
225
|
## FAQ
|
|
214
226
|
|
|
215
|
-
1. **
|
|
227
|
+
1. **What is the difference between `npq` and `npq-hero`?**
|
|
228
|
+
|
|
229
|
+
* `npq` is meant to be its own stand-alone CLI so it has command line flags like `--dry-run` and others (see `npq --help`). However, when you want to alias the `npm` CLI to NPQ you should use `npq-hero` as the executable of the alias to npm (e.g: `alias npm=npq`), which means `npq-hero` can't have its own command-line flags because they could conflict with the `npm` executable.
|
|
230
|
+
|
|
231
|
+
2. **Can I use NPQ without having npm or yarn?**
|
|
216
232
|
|
|
217
233
|
* NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
|
|
218
234
|
|
|
219
|
-
|
|
235
|
+
3. **How is NPQ different from npm audit?**
|
|
220
236
|
|
|
221
237
|
* `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
|
|
222
238
|
* NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
|
|
223
239
|
* `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
|
|
224
240
|
|
|
225
|
-
|
|
241
|
+
4. **Do I require a Snyk API key in order to use NPQ?**
|
|
226
242
|
|
|
227
243
|
* It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
|
|
228
244
|
|
|
245
|
+
5. **Why is NPQ connecting to external domains like gmail.com or personal websites during installation?**
|
|
246
|
+
|
|
247
|
+
* This is not telemetry. NPQ does not collect any usage data. When auditing a package, NPQ fetches the maintainers/authors of the dependency and checks their email addresses to verify they are valid and not associated with expired domains. Expired domains can be abused by attackers for account takeover (ATO) attacks to compromise packages with malicious versions. Hence, NPQ may make DNS requests to domains like `gmail.com` or personal domains found in maintainer emails. Additionally, NPQ makes HTTP requests to `osv.dev` to fetch security vulnerability data (or uses Snyk if configured, as a prioritized option).
|
|
248
|
+
|
|
229
249
|
## Contributing
|
|
230
250
|
|
|
231
251
|
Please consult the [CONTRIBUTING](CONTRIBUTING.md) for guidelines on contributing to this project
|