safely install npm packages by auditing them pre-install stage
1.8k
Stars
41
Forks
15
Open issues
25
Contributors
AI Analysis
npq is a command-line tool that audits npm packages before installation by checking against CVE databases, analyzing package metadata (age, downloads, README, LICENSE), and detecting pre/post-install scripts. It serves developers and DevOps teams who need to reduce supply-chain security risks when adding dependencies, and is particularly valuable in security-conscious organizations; it is not a general-purpose package manager but a specialized security-first wrapper around npm install.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Pre-install npm package auditor using CVE databases and heuristic checks
npq is a CLI tool that intercepts npm package installations to audit them against known vulnerabilities, package metadata signals (age, downloads, license, README presence), and installation script behavior before they execute. Designed for developers concerned about supply-chain risk in Node.js dependencies. Adoption appears concentrated among security-conscious practitioners and appears in security-focused media and Node.js educational materials, but real-world adoption metrics are not publicly documented.
Created December 2017 by Liran Tal (a security researcher), npq emerged during increased awareness of npm supply-chain attacks. The project reflects broader concern about malicious and vulnerable package installations in JavaScript ecosystems circa 2018–2020, when npm-related security incidents received notable coverage.
Stars grew to ~1,755 over 8.5 years with modest recent activity (4 stars in 7 days as of 2026-06-03). Growth appears episodic, correlated with media attention and security incident cycles rather than sustained adoption. Last push was 2026-06-24, indicating active maintenance, but organic growth appears flat. The project has stabilized rather than accelerated.
Adoption not verified. README cites media mentions (blog posts, security articles, a Node.js book reference, and inclusion in developer tool lists) but does not document production deployments, organizational adoption, or download metrics from npm registry. The tool is available via npm and Homebrew, but scale of real-world usage is undocumented.
Based on README, npq wraps package manager commands (npm, yarn, pnpm) and injects pre-install audit logic via four 'marshalls': age (22-day threshold), author (maintainer history and tenure), downloads (popularity heuristic), and dependency analysis. Hands off actual installation to the underlying package manager after audit completes. Likely implemented as a CLI wrapper using environment variables and shell aliases to intercept package manager invocations.
README includes codecov badge pointing to main branch coverage, indicating automated testing is present and tracked, but specific coverage percentage or quality metrics are not stated in README.
Last push 2026-06-24 (9 days before evaluation date) signals active maintenance. GitHub Actions CI badge is present. Repository has not been archived or marked deprecated. However, issue volume, PR response time, and release cadence are not documented in the README excerpt, making it difficult to assess maintenance intensity beyond the push recency signal.
ADOPT IF: you operate in a high-security environment where supply-chain risk is a material concern, you want to pre-emptively block installations of packages with suspicious metadata patterns, and you are comfortable with false-positive warnings (e.g., legitimate but young packages). AVOID IF: you need comprehensive vulnerability detection (npq relies on heuristics; known CVEs are only one signal), you work with rapidly evolving private packages, or you expect the tool to catch truly novel malicious packages (npq explicitly disclaims absolute safety). MONITOR IF: you are evaluating package manager security tooling and want to track whether npq's audit-before-install pattern gains adoption; the project is maintained but adoption at scale is not documented.
Independent dimensions
Mainstream potential
3/10
Technical importance
6/10
Adoption evidence
2/10
- No documented real-world adoption metrics; claim of safety is based on heuristics (age, downloads, maintainer tenure, README presence) rather than code analysis, meaning novel attacks or legitimate-but-unusual packages may trigger false positives.
- Pre-install audit cannot detect obfuscated or zero-day malicious code; README explicitly disclaims absolute safety, limiting it to a risk-reduction tool, not a security guarantee.
- Ecosystem fragmentation: npq must be aliased or explicitly invoked; unlike integrated package managers, it requires developer discipline to use consistently, reducing practical coverage.
- Reliance on external signals (Snyk CVE database, npm registry metadata) means npq is only as current as its upstream data sources; stale or missing CVE entries reduce effectiveness.
- Long-term maintenance risk if adoption remains concentrated among individual developers; no evidence of organizational or enterprise backing to sustain the project if author shifts focus.
npq will likely remain a niche security tool for individual developers and security-conscious teams, with slow steady-state maintenance but limited mainstream adoption growth. Unlikely to be integrated into major package manager defaults without significant organizational backing.
Explore similar
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- JavaScript
- License
- Apache-2.0
- Last updated
- 3d ago
- Created
- 104mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Support for custom Artifactory
pnpm cli arguments don't work in arbitrary order causing marshalls to not run when expected
Feature: when detecting coding agents spawn npq, then npq should default to --json mode
Idea/Feature Request: Show next available version that passes checks for recently published packages
`min-release-age` is not respected when resolving package versions
Top contributors
Similar repos
lirantal/is-website-vulnerable
is-website-vulnerable is a security scanning tool that detects publicly known...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
1.8k | +2 | JavaScript | 7/10 | 3d ago |
|
|
7.7k | — | JavaScript | 8/10 | 5d ago |
|
|
2k | — | JavaScript | 8/10 | 3w ago |
|
|
35.7k | — | Rust | 9/10 | 12h ago |
|
|
6.6k | — | JavaScript | 7/10 | 3d ago |
|
|
2.1k | — | JavaScript | 7/10 | 1d ago |
pnpm (35,675 stars) is a full package manager with built-in installation hooks; npq is an audit layer on top of existing managers. pnpm solves a different problem (disk efficiency, strict dependency resolution) rather than pre-install security review.
npm-check (6,641 stars) audits installed dependencies for updates and vulnerabilities post-install; npq audits before installation. npm-check operates on a different lifecycle phase and is more mature by star count.
np (7,699 stars) is a package release automation tool; npq is a pre-install auditor. These serve orthogonal purposes in the release and consumption workflows.
Snyk (not listed in similar repos but industry standard) offers vulnerability scanning across the full dependency tree post-install; npq audits pre-install with heuristic signals. npq's pre-install approach is unique but narrower in scope than Snyk's post-install analysis.

