npq 3.15.0 → 3.15.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +24 -4
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -83,12 +83,24 @@ If you're using `yarn`, `pnpm`, or generally want to explicitly tell npq which p
83
83
 
84
84
  Examples:
85
85
 
86
- **Using yarn:**
86
+ **Using yarn 1.x:**
87
87
 
88
88
  ```bash
89
89
  alias yarn="NPQ_PKG_MGR=yarn npq-hero"
90
90
  ```
91
91
 
92
+ **Using yarn 4.x:**
93
+
94
+ ```bash
95
+ NPQ_PKG_MGR=yarn yarn run npq-hero
96
+ ```
97
+
98
+ or
99
+
100
+ ```bash
101
+ NPQ_PKG_MGR=yarn yarn exec npq-hero
102
+ ```
103
+
92
104
  **Using pnpm:**
93
105
 
94
106
  ```bash
@@ -212,20 +224,28 @@ When auto-continue is disabled, npq will always prompt for explicit confirmation
212
224
 
213
225
  ## FAQ
214
226
 
215
- 1. **Can I use NPQ without having npm or yarn?**
227
+ 1. **What is the difference between `npq` and `npq-hero`?**
228
+
229
+ * `npq` is meant to be its own stand-alone CLI so it has command line flags like `--dry-run` and others (see `npq --help`). However, when you want to alias the `npm` CLI to NPQ you should use `npq-hero` as the executable of the alias to npm (e.g: `alias npm=npq`), which means `npq-hero` can't have its own command-line flags because they could conflict with the `npm` executable.
230
+
231
+ 2. **Can I use NPQ without having npm or yarn?**
216
232
 
217
233
  * NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
218
234
 
219
- 2. **How is NPQ different from npm audit?**
235
+ 3. **How is NPQ different from npm audit?**
220
236
 
221
237
  * `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
222
238
  * NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
223
239
  * `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
224
240
 
225
- 3. **Do I require a Snyk API key in order to use NPQ?**
241
+ 4. **Do I require a Snyk API key in order to use NPQ?**
226
242
 
227
243
  * It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
228
244
 
245
+ 5. **Why is NPQ connecting to external domains like gmail.com or personal websites during installation?**
246
+
247
+ * This is not telemetry. NPQ does not collect any usage data. When auditing a package, NPQ fetches the maintainers/authors of the dependency and checks their email addresses to verify they are valid and not associated with expired domains. Expired domains can be abused by attackers for account takeover (ATO) attacks to compromise packages with malicious versions. Hence, NPQ may make DNS requests to domains like `gmail.com` or personal domains found in maintainer emails. Additionally, NPQ makes HTTP requests to `osv.dev` to fetch security vulnerability data (or uses Snyk if configured, as a prioritized option).
248
+
229
249
  ## Contributing
230
250
 
231
251
  Please consult the [CONTRIBUTING](CONTRIBUTING.md) for guidelines on contributing to this project
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "3.15.0",
3
+ "version": "3.15.2",
4
4
  "description": "marshall your npm/npm package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",