I stumbled across the NPQ CLI tool while browsing GitHub, and it addresses something that’s been bugging me for years. Every time you run npm install, you’re basically trusting random strangers on the internet not to mess with your computer.
NPQ sits between you and npm, checking packages for sketchy behavior before they touch your project. Here’s the general idea:
➜ npm install -g npq
➜ npq install nextPackages with issues found:
┌─ │ > next@latest │ │ ✖ Supply Chain Security · Detected a recently published version (published 2 days ago) - consider waiting for community review └─
Summary:
- Total packages: 1 - Total errors: 1 - Total warnings: 0
Continue install ? (y/N) nWhy Audit Your Packages?
Here’s what happens when you install a package. You type npm install package and suddenly you’ve downloaded code from someone you’ve never met. That code runs on your machine with your permissions. It can read files, make network requests, and do whatever it wants.
Most packages are fine. But some aren’t. Maybe they’re typosquatting popular libraries. Maybe they’re trying to steal your environment variables. Maybe they’re just poorly maintained and full of vulnerabilities.
You probably don’t check every package manually. Who has time for that?
NPQ acts like a bouncer for your npm installs. When you try to install something, it checks a bunch of things first:
[1] The package name looks legitimate and isn’t trying to impersonate something popular.
[2] The maintainer has a reasonable history and isn’t brand new with no other packages.
[3] The package doesn’t have obvious red flags like requesting unnecessary permissions or making suspicious network calls.
If something looks wrong, NPQ blocks the install and tells you why. If everything checks out, your install proceeds normally.
Since npq is a pre-step to ensure that the npm package you’re installing is safe, you can safely embed it in your day-to-day npm usage so there’s no need to remember to run npq explicitly.
alias npm='npq-hero'