JSPM

npq

1.6.2
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 1091
  • Score
    100M100P100Q101843F
  • License Apache-2.0

marshall your npm/yarn package installs with high quality and class 🎖

Package Exports

  • npq

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (npq) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

npq

npq - marshall your npm/yarn package installs with high quality and class 🎖

npm npm codecov Build Status Known Vulnerabilities

semantic-release Greenkeeper badge Commitizen friendly

About

Once npq is installed, you can safely* install packages:

npq install express

npq will perform the following steps to sanity check the package is safe by employing syntactic herustics and querying a CVE database:

  • Consult snyk.io database of publically disclosed vulnerabilities to check if a vulnerability exists for this package and its version.
  • Package age on npm
  • Package download count as a popularity metric
  • Package has a README file
  • [TBD] Package has pre/post install scripts

If npq is prompted to continue with the install it simply handovers the actual package install job to the package manager (npm by default).

safely* - there's no guaranteed safety, a malicious or vulnerable package could still exist that has no discloure published and passes npq's checks.

Install

npm install -g npq

Usage

Install packages with npq:

npq install express

Embed in your day to day

Since npq is a pre-step to ensure that the npm package you're installing is safe, you can safely embed it in your day-to-day npm usage so there's no need to remember to run npq explicitly.

alias npm='npq'

Offload to package managers

npq by default will offload all commands and their arguments to the npm package manager after it finished its due-dilegence for the respective packages.

If you're using yarn, or generally want to explicitly tell npq which package manager should handle the command use one of the following methods:

  • A command line option: --packageManager <npm|yarn>
  • An environment variable: NPQ_PKG_MGR=yarn

Example: create an alias with yarn as the package manager:

alias npm='npq --packageManager yarn'

Marshalls

Marshall Name Description Notes
Age Will show a warning for a package if its age on npm is less than 22 days Checks a package creation date, not a specific version
Downloads Will show a warning for a package if its download count in the last month is less than 20
Readme Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
Snyk Will show a warning if a package has been found with vulnerabilities in snyk's database For snyk to work you need to either have the snyk npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable and npq will use it

Contributing

Please consult the CONTIRBUTING for guidelines on contributing to this project

Author

Liran Tal liran.tal@gmail.com