• Stars
    star
    917
  • Rank 49,814 (Top 1.0 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🎖safely* install packages with npm or yarn by auditing them as part of your install process



safely* install packages with npm/yarn by auditing them as part of your install process

npm npm codecov Build Status Known Vulnerabilities Security Responsible Disclosure

npq

npq-demo-3-final

Media coverage about npq:

About

Once npq is installed, you can safely* install packages:

npq install express

npq will perform the following steps to sanity check that the package is safe by employing syntactic heuristics and querying a CVE database:

  • Consult the snyk.io database of publicly disclosed vulnerabilities to check if a security vulnerability exists for this package and its version.
  • Package age on npm
  • Package download count as a popularity metric
  • Package has a README file
  • Package has a LICENSE file
  • Package has pre/post install scripts

If npq is prompted to continue with the install, it simply hands over the actual package install job to the package manager (npm by default).

safely* - there's no guaranteed safety; a malicious or vulnerable package could still exist that has no security vulnerabilities publicly disclosed and passes npq's checks.

Install

npm install -g npq

Note: we recommend installing with npm rather than yarn. That way, npq can automatically install shell aliases for you.

Usage

Install packages with npq:

npq install express

Embed in your day to day

Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.

alias npm='npq-hero'

Offload to package managers

If you're using yarn, or generally want to explicitly tell npq which package manager to use you can specify an environment variable: NPQ_PKG_MGR=yarn

Example: create an alias with yarn as the package manager:

alias yarn="NPQ_PKG_MGR=yarn npq-hero"

Note: npq by default will offload all commands and their arguments to the npm package manager after it finished its due-diligence for the respective packages.

Marshalls

Marshall Name Description Notes
age Will show a warning for a package if its age on npm is less than 22 days Checks a package creation date, not a specific version
author Will show a warning if a package has been found without an author field Checks the latest version for an author
downloads Will show a warning for a package if its download count in the last month is less than 20
readme Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
repo Will show a warning if a package has been found without a valid and working repository URL Checks the latest version for a repository URL
scripts Will show a warning if a package has a pre/post install script which could potentially be malicious
snyk Will show a warning if a package has been found with vulnerabilities in Snyk's database For Snyk to work you need to either have the snyk npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
license Will show a warning if a package has been found without a license field Checks the latest version for a license
expired domains Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain Checks a dependency version for a maintainer with an expired domain

Disabling Marshalls

To disable a marshall altogether, set an environment variable using with the marshall's shortname.

Example, to disable the Snyk vulnerability marshall:

MARSHALL_DISABLE_SNYK=1 npq install express

Run checks on package without installing it:

npq install express --dry-run

Using with TravisCI

An example of using lockfile-lint with a .travis.yml configuration as part of your build:

language: node_js
before_script:
  - npx lockfile-lint --path package-lock.json --validate-https --allowed-hosts npm
install:
  - yarn install
script:
  - yarn run test

FAQ

  1. Can I use NPQ without having npm or yarn?
  • NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
  1. How is NPQ different from npm audit?
  • npm install will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
  • NPQ will run synthetic checks, called marshalls, on the characteristics of a module, such as whether the module you are going to install has a pre-install script which can be potentially harmful for your system and prompt you whether to install it. Whereas npm audit will not perform any such checks, and only consults a vulnerability database for known security issues.
  • npm audit is closer in functionality to what Snyk does, rather than what NPQ does.
  1. Do I require a Snyk API key in order to use NPQ?
  • It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.

Contributing

Please consult the CONTRIBUTING for guidelines on contributing to this project

Author

Liran Tal [email protected]

More Repositories

1

dockly

Immersive terminal interface for managing docker containers and services
JavaScript
3,787
star
2

nodejs-cli-apps-best-practices

The largest Node.js CLI Apps best practices list ✨
3,502
star
3

awesome-nodejs-security

Awesome Node.js Security resources
2,723
star
4

is-website-vulnerable

finds publicly known security vulnerabilities in a website's frontend JavaScript libraries
JavaScript
1,933
star
5

lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
JavaScript
784
star
6

daloradius

daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.
PHP
649
star
7

awesome-opensource-israel

A curated list of Israeli-made projects, events, and individuals
367
star
8

cypress-social-logins

Cypress authentication flows using social network providers
JavaScript
232
star
9

express-version-route

A Node.js express middleware that implements API versioning for route controllers
JavaScript
91
star
10

essential-nodejs-security-book

Documentation for Essential Node.js Security
JavaScript
79
star
11

awesome-contract-testing

Awesome resources for Consumer-Driven Contract Testing
76
star
12

eslint-plugin-anti-trojan-source

ESLint plugin to detect and stop Trojan Source attacks
JavaScript
69
star
13

detect-secrets

A developer-friendly secrets detection tool for CI and pre-commit hooks based on Yelp's detect-secrets
JavaScript
45
star
14

anti-trojan-source

Detect trojan source attacks that employ unicode bidi attacks to inject malicious code
JavaScript
40
star
15

licenseye

Node.js CLI tool to visualize an aggregate list of your dependencies' licenses
JavaScript
38
star
16

create-node-lib

Scaffold a batteries-included Node.js library project with docs, tests, semantic releases and more
JavaScript
31
star
17

pie-my-vulns

Visualize your project security vulnerabilities as a pie chart in the terminal
JavaScript
24
star
18

codeigniter-menu

Menu Navigation extension for CodeIgniter PHP framework
PHP
19
star
19

women-of-open-source-israel

WOSI - Women of Open Source Israel 🇮🇱
19
star
20

learning-http-security-headers-book

Hands-on practical use of HTTP security headers as browser security controls to help secure web applications
18
star
21

express-security-txt

A Node.js middleware for Express that implements Security.txt - A Method for Web Security Policies
JavaScript
18
star
22

enterprise-applications-patterns

Collection of enterprise application patterns
17
star
23

twiks

Twitter awesomeness browser extension
JavaScript
17
star
24

cron-to-quartz

Node.js library to convert unix or linux CRON syntax to Quartz Scheduler
JavaScript
16
star
25

organising-awesome-meetups

Do you want to start a meetup group but you don't know exactly where to start? You're in the right place!
16
star
26

Riess.js

Riess.js is a de-coupled full stack JavaScript application framework
JavaScript
16
star
27

typeform-client

A friendlier Typeform Node.js API client
JavaScript
16
star
28

agilemanager-api

HPE's Agile Manager client API module for NodeJS
JavaScript
14
star
29

docker-travis-cli

Travis CLI in a docker container (encrypt, lint, env, monitor)
Dockerfile
12
star
30

asciidoc-book-starter

A template repository that is ready to author and publish books written in AsciiDoc format
TypeScript
12
star
31

express-version-request

versions an incoming request to Express based on header or URL
JavaScript
11
star
32

smtp-pipe

Pipe any mail envelope input and output forward as SMTP client
JavaScript
10
star
33

nodepulse

NodePulse is a live Node.js dashboard
Vue
9
star
34

js-vulns-detector

Inject JS to the DOM to find vulnerable JavaScript libraries
JavaScript
9
star
35

github-actions-best-practices-for-node.js

GitHub Actions Best Practices for Node.js applications
9
star
36

docker-images-security-workshop

Docker Image Security Workshop for Best Practices
Dockerfile
9
star
37

cwe-sdk

A Common Weakness Enumeration (CWE) Node.js SDK compliant with MITRE / CAPEC
JavaScript
9
star
38

public-speaking

Liran Tal's portfolio of public speaking engagements
9
star
39

nodejs-docker-image-best-practices

Best practices for building and maintaining Node.js docker images
Dockerfile
8
star
40

Manager-README

Liran Tal Manager README
7
star
41

opn-shell

cross-platform execution of command line programs in shells
JavaScript
6
star
42

dependency-confusion-demo

Demo for practicing Dependency Confusion supply chain attacks
JavaScript
6
star
43

vault

A Node.js API service that fetches files and checks for virus or malware
JavaScript
6
star
44

public-speaking-archive

Liran Tal's repository for public speaking
Liquid
6
star
45

slides-react-security-lightning-talk-2022

Slides for talk: How React Applications Get Hacked in the Real World
HTML
6
star
46

typeform-export-excel

Export a Typeform survey questionnaire to an Excel format
JavaScript
6
star
47

gulp-mraudit

Mr Audit is a Gulp plugin to audit JavaScript code for security related static code analysis
JavaScript
6
star
48

docker-detect-secrets

A docker image for Yelp's docker-secrets python application
Dockerfile
5
star
49

nodejssecurity-headers-hsts

Exercise resources about HTTP security headers in Node.js and Express applications
JavaScript
5
star
50

snykcon

A CLI for Snyk's SnykCon 2020 DevSecOps and Developer-first security conference
JavaScript
5
star
51

radiusense

RADIUS monitoring and statistics reporting for FreeRADIUS-based deployments (it's a pingdom for RADUIS servers)
JavaScript
5
star
52

react-suspended-vulnerable-application

React Suspended is an educational frontend application riddled with security vulnerabilities
CSS
5
star
53

nodejssecurity-mixed-content

Exercise resources about browser security controls
JavaScript
5
star
54

slides-react-security-2022

Slides for talk: How React Applications Get Hacked in the Real World
Vue
5
star
55

pact-workshop-consumer-nodejs

Pact Workshop - Consumer in Node.js
JavaScript
5
star
56

security-report

Report a security vulnerability
JavaScript
5
star
57

Proactive-Controls-for-JavaScript-Supply-Chain-Security

Proactive NPM Controls for Supply Chain Security
5
star
58

operations-orchestration-api

HPE's Operations Orchestration client API module for NodeJS
JavaScript
5
star
59

Dependency-Frost

Dependency Frost is an educational platform game to promote awareness of security in open source dependencies
JavaScript
5
star
60

snyk-vs-npm-audit

This repository will contain benchmark comparison between Snyk and npm audit, based on personal observation, as objective as possible
4
star
61

public-speaking-jekyll

A starter template for Public Speaking templates 🎤 💫
Ruby
4
star
62

lockfile-prune

Lockfiles have needs too and this package takes care of them
JavaScript
4
star
63

nodejssecurity-headers-xframe-innocent

Exercise resources about HTTP security headers in Node.js and Express applications
JavaScript
4
star
64

pp-minimist-poc

Prototype Pollution in minimist
JavaScript
4
star
65

aws-s3-utils

Node.js library providing high-level wrapper for convenient AWS S3 capabilities
JavaScript
4
star
66

lirantaldotcom

Liran Tal's lirantal.com website v2
Astro
4
star
67

bazz

🚀📩 effortless remote push notifications for the CLI
JavaScript
4
star
68

serverless-goof-azure

Oreilly's Serverless security example application - serverless-goof todo app
JavaScript
4
star
69

no-secrets-env-vars-website

SAY NO TO SECRETS IN ENVIRONMENT VARIABLES
Vue
4
star
70

eslint-plugin-security

ESLint collection of curated security rules for static code analysis linter
JavaScript
3
star
71

swagger-lint-api

Linter for a Swagger JSON API spec
JavaScript
3
star
72

picture-tuber

render images on the terminal (forked from substack/picture-tube)
JavaScript
3
star
73

bazz-serverless-firebase

JavaScript
3
star
74

presentation-terminal-great-again

JavaScript
3
star
75

licensewatch

Recurses a given node_modules directory to fetch all npm package licenses
JavaScript
3
star
76

githubs

CLI to manage GitHub repositories in bulk
JavaScript
3
star
77

smtp-watch

smtp-watch will create an smtp server for incoming mail connections, and display these e-mails on a web page
JavaScript
3
star
78

fastify-dotenv-envschema-example

A Fastify example codebase for using dotenv with env-schema wrapper
JavaScript
3
star
79

terminal-detect

CLI to detect terminal support for properties like color, unicode and others
JavaScript
3
star
80

cwe-tool

A command line CWE discovery tool based on OWASP / CAPSEC database of Common Weakness Enumeration.
JavaScript
3
star
81

fastify-supertokens-example

A Node.js Fastify microservice that uses SuperTokens for authentication
JavaScript
3
star
82

techies

A web app that shows and compares technology stacks and trends around the world
JavaScript
3
star
83

goof-container-breaking-in

A Snyk-based goof application to demonstrate breaking into containers
JavaScript
3
star
84

012cable

A QT-based PPTP dialer for Linux users of the 012 Israel ISP
Makefile
2
star
85

operations-orchestration-backup

NodeJS Backup Tool (Import/Export) for HPE's Operations Orchestration
JavaScript
2
star
86

atombundles

Easily install all packages required to create an Atom Bundle for a Language or Platform
TypeScript
2
star
87

speak-easy

The source-code for the speak|easy website which promotes inspirational and information public speaking tips
Vue
2
star
88

daloradius-web

daloRADIUS official website
CSS
2
star
89

bazz-frontend

JavaScript
2
star
90

php-sdk

PHP SDK for the Facebook API
PHP
2
star
91

snyk-or-snick

Race your friend to the Snyk palace
JavaScript
2
star
92

slides-supply-chain-security

Vue
2
star
93

create-node-sandbox

Spin-off an isolated Node.js environment using Docker containers
JavaScript
2
star
94

lirantal

2
star
95

ecosystem-lockfiles

An up to date list of ecosystem, their package managers and traits of theirs with regards to software security
2
star
96

vulnerable-c-and-cpp

A reference Git repository to demonstrate vulnerable C and C++ patterns in code
C
2
star
97

github-action-pr-title-update-branch

A GitHub Action that updates the PR title with information about the base branch it wants to merge to
JavaScript
1
star
98

pkg-probe

Vue
1
star
99

techies-meetup-crawler

Crawling meetup.com to retrieve data
JavaScript
1
star
100

berry-plugin-hello-world

TypeScript
1
star