npq 3.15.1 → 3.15.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -242,6 +242,10 @@ When auto-continue is disabled, npq will always prompt for explicit confirmation
|
|
|
242
242
|
|
|
243
243
|
* It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
|
|
244
244
|
|
|
245
|
+
5. **Why is NPQ connecting to external domains like gmail.com or personal websites during installation?**
|
|
246
|
+
|
|
247
|
+
* This is not telemetry. NPQ does not collect any usage data. When auditing a package, NPQ fetches the maintainers/authors of the dependency and checks their email addresses to verify they are valid and not associated with expired domains. Expired domains can be abused by attackers for account takeover (ATO) attacks to compromise packages with malicious versions. Hence, NPQ may make DNS requests to domains like `gmail.com` or personal domains found in maintainer emails. Additionally, NPQ makes HTTP requests to `osv.dev` to fetch security vulnerability data (or uses Snyk if configured, as a prioritized option).
|
|
248
|
+
|
|
245
249
|
## Contributing
|
|
246
250
|
|
|
247
251
|
Please consult the [CONTRIBUTING](CONTRIBUTING.md) for guidelines on contributing to this project
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "npq",
|
|
3
|
-
"version": "3.15.
|
|
3
|
+
"version": "3.15.3",
|
|
4
4
|
"description": "marshall your npm/npm package installs with high quality and class 🎖",
|
|
5
5
|
"bin": {
|
|
6
6
|
"npq": "./bin/npq.js",
|
|
@@ -44,7 +44,7 @@
|
|
|
44
44
|
},
|
|
45
45
|
"dependencies": {
|
|
46
46
|
"fastest-levenshtein": "^1.0.16",
|
|
47
|
-
"npm-package-arg": "^13.0.
|
|
47
|
+
"npm-package-arg": "^13.0.2",
|
|
48
48
|
"semver": "^7.7.3",
|
|
49
49
|
"sigstore": "^3.1.0",
|
|
50
50
|
"ssri": "^12.0.0"
|