lirantal

lirantal/npq

JavaScript Apache-2.0 Security

safely install npm packages by auditing them pre-install stage

1.8k stars
41 forks
active
GitHub +2 / week

1.8k

Stars

41

Forks

15

Open issues

25

Contributors

v3.20.0 07 Jul 2026

AI Analysis

npq is a command-line tool that audits npm packages before installation by checking against CVE databases, analyzing package metadata (age, downloads, README, LICENSE), and detecting pre/post-install scripts. It serves developers and DevOps teams who need to reduce supply-chain security risks when adding dependencies, and is particularly valuable in security-conscious organizations; it is not a general-purpose package manager but a specialized security-first wrapper around npm install.

Security Security Tool Discovery value: 5/10
Documentation 7/10
Activity 8/10
Community 7/10
Code quality 7/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

supply-chain-security npm-security vulnerability-scanning package-auditing appsec
Actively maintained Well documented Niche/specialized use case Apache-2.0 licensed Beginner friendly Production ready
Deep Analysis · Based on README and public signals
7d ago

Pre-install npm package auditor using CVE databases and heuristic checks

npq is a CLI tool that intercepts npm package installations to audit them against known vulnerabilities, package metadata signals (age, downloads, license, README presence), and installation script behavior before they execute. Designed for developers concerned about supply-chain risk in Node.js dependencies. Adoption appears concentrated among security-conscious practitioners and appears in security-focused media and Node.js educational materials, but real-world adoption metrics are not publicly documented.

Origin

Created December 2017 by Liran Tal (a security researcher), npq emerged during increased awareness of npm supply-chain attacks. The project reflects broader concern about malicious and vulnerable package installations in JavaScript ecosystems circa 2018–2020, when npm-related security incidents received notable coverage.

Growth

Stars grew to ~1,755 over 8.5 years with modest recent activity (4 stars in 7 days as of 2026-06-03). Growth appears episodic, correlated with media attention and security incident cycles rather than sustained adoption. Last push was 2026-06-24, indicating active maintenance, but organic growth appears flat. The project has stabilized rather than accelerated.

In production

Adoption not verified. README cites media mentions (blog posts, security articles, a Node.js book reference, and inclusion in developer tool lists) but does not document production deployments, organizational adoption, or download metrics from npm registry. The tool is available via npm and Homebrew, but scale of real-world usage is undocumented.

Code analysis
Architecture

Based on README, npq wraps package manager commands (npm, yarn, pnpm) and injects pre-install audit logic via four 'marshalls': age (22-day threshold), author (maintainer history and tenure), downloads (popularity heuristic), and dependency analysis. Hands off actual installation to the underlying package manager after audit completes. Likely implemented as a CLI wrapper using environment variables and shell aliases to intercept package manager invocations.

Tests

README includes codecov badge pointing to main branch coverage, indicating automated testing is present and tracked, but specific coverage percentage or quality metrics are not stated in README.

Maintenance

Last push 2026-06-24 (9 days before evaluation date) signals active maintenance. GitHub Actions CI badge is present. Repository has not been archived or marked deprecated. However, issue volume, PR response time, and release cadence are not documented in the README excerpt, making it difficult to assess maintenance intensity beyond the push recency signal.

Honest verdict

ADOPT IF: you operate in a high-security environment where supply-chain risk is a material concern, you want to pre-emptively block installations of packages with suspicious metadata patterns, and you are comfortable with false-positive warnings (e.g., legitimate but young packages). AVOID IF: you need comprehensive vulnerability detection (npq relies on heuristics; known CVEs are only one signal), you work with rapidly evolving private packages, or you expect the tool to catch truly novel malicious packages (npq explicitly disclaims absolute safety). MONITOR IF: you are evaluating package manager security tooling and want to track whether npq's audit-before-install pattern gains adoption; the project is maintained but adoption at scale is not documented.

Independent dimensions

Mainstream potential

3/10

Technical importance

6/10

Adoption evidence

2/10

Risks
  • No documented real-world adoption metrics; claim of safety is based on heuristics (age, downloads, maintainer tenure, README presence) rather than code analysis, meaning novel attacks or legitimate-but-unusual packages may trigger false positives.
  • Pre-install audit cannot detect obfuscated or zero-day malicious code; README explicitly disclaims absolute safety, limiting it to a risk-reduction tool, not a security guarantee.
  • Ecosystem fragmentation: npq must be aliased or explicitly invoked; unlike integrated package managers, it requires developer discipline to use consistently, reducing practical coverage.
  • Reliance on external signals (Snyk CVE database, npm registry metadata) means npq is only as current as its upstream data sources; stale or missing CVE entries reduce effectiveness.
  • Long-term maintenance risk if adoption remains concentrated among individual developers; no evidence of organizational or enterprise backing to sustain the project if author shifts focus.
Prediction

npq will likely remain a niche security tool for individual developers and security-conscious teams, with slow steady-state maintenance but limited mainstream adoption growth. Unlikely to be integrated into major package manager defaults without significant organizational backing.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

JavaScript
99.7%
Shell
0.3%

Information

Language
JavaScript
License
Apache-2.0
Last updated
3d ago
Created
104mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

sindresorhus

sindresorhus/np

np is a specialized CLI tool that wraps and enhances the `npm publish` workflow...

7.7k JavaScript Dev Tools
lirantal

lirantal/is-website-vulnerable

is-website-vulnerable is a security scanning tool that detects publicly known...

2k JavaScript Security
pnpm

pnpm/pnpm

pnpm is a fast, disk-space-efficient package manager for Node.js that uses...

35.7k Rust Dev Tools
dylang

dylang/npm-check

npm-check is a CLI tool that audits Node.js project dependencies, identifying...

6.6k JavaScript Dev Tools
cnpm

cnpm/cnpm

cnpm is an npm client optimized for users accessing npm packages through...

2.1k JavaScript Dev Tools
vs. alternatives
pnpm/pnpm

pnpm (35,675 stars) is a full package manager with built-in installation hooks; npq is an audit layer on top of existing managers. pnpm solves a different problem (disk efficiency, strict dependency resolution) rather than pre-install security review.

dylang/npm-check

npm-check (6,641 stars) audits installed dependencies for updates and vulnerabilities post-install; npq audits before installation. npm-check operates on a different lifecycle phase and is more mature by star count.

sindresorhus/np

np (7,699 stars) is a package release automation tool; npq is a pre-install auditor. These serve orthogonal purposes in the release and consumption workflows.

Snyk CLI

Snyk (not listed in similar repos but industry standard) offers vulnerability scanning across the full dependency tree post-install; npq audits pre-install with heuristic signals. npq's pre-install approach is unique but narrower in scope than Snyk's post-install analysis.