NPQ: Open source CLI tool that audits and protects your npm installs from malicious packages

A CLI tool that checks packages for security issues and social engineering attacks before they hit your project

Trevor I. Lasn Trevor I. Lasn
· 2 min read
Building 0xinsider.com, the intelligence layer for prediction markets. Discover what's moving, see who's behind it, and find the edge before the crowd.

I stumbled across the NPQ CLI tool while browsing GitHub, and it addresses something that’s been bugging me for years. Every time you run npm install, you’re basically trusting random strangers on the internet not to mess with your computer.

NPQ sits between you and npm, checking packages for sketchy behavior before they touch your project. Here’s the general idea:

Terminal window
npm install -g npq
npq install next
Packages with issues found:
┌─
> next@latest
Supply Chain Security · Detected a recently published version (published 2 days ago) - consider waiting for community review
└─
Summary:
- Total packages: 1
- Total errors: 1
- Total warnings: 0
Continue install ? (y/N) n

Why Audit Your Packages?

Here’s what happens when you install a package. You type npm install package and suddenly you’ve downloaded code from someone you’ve never met. That code runs on your machine with your permissions. It can read files, make network requests, and do whatever it wants.

Most packages are fine. But some aren’t. Maybe they’re typosquatting popular libraries. Maybe they’re trying to steal your environment variables. Maybe they’re just poorly maintained and full of vulnerabilities.

You probably don’t check every package manually. Who has time for that?

NPQ acts like a bouncer for your npm installs. When you try to install something, it checks a bunch of things first:

[1] The package name looks legitimate and isn’t trying to impersonate something popular.

[2] The maintainer has a reasonable history and isn’t brand new with no other packages.

[3] The package doesn’t have obvious red flags like requesting unnecessary permissions or making suspicious network calls.

If something looks wrong, NPQ blocks the install and tells you why. If everything checks out, your install proceeds normally.

Since npq is a pre-step to ensure that the npm package you’re installing is safe, you can safely embed it in your day-to-day npm usage so there’s no need to remember to run npq explicitly.

Terminal window
alias npm='npq-hero'

Trevor I. Lasn

Building 0xinsider.com, the intelligence layer for prediction markets. Discover what's moving, see who's behind it, and find the edge before the crowd. Product engineer based in Tartu, Estonia, building and shipping for over a decade.


Found this article helpful? You might enjoy my free newsletter. I share dev tips and insights to help you grow your coding skills and advance your tech career.


Related Articles

Check out these related articles that might be useful for you. They cover similar topics and provide additional insights.

Webdev
13 min read

10 Essential Terminal Commands Every Developer Should Know

List of useful Unix terminal commands to boost your productivity. Here are some of my favorites.

Aug 21, 2024
Read article
Webdev
5 min read

Mermaid.js — Create Charts and Diagrams With Markdown-like Syntax

Mermaid.js is a simple markdown-like script language for generating charts from text via JavaScript

Oct 30, 2019
Read article
Webdev
5 min read

Peaks.js — Interact With Audio Waveforms

Peaks.js is a client-side JavaScript component to display and interact with audio waveforms in the browser

Oct 22, 2019
Read article
Webdev
6 min read

SecretLint — A Linter for Preventing Committing Credentials

A guide to catching and preventing credential leaks in your code using Secretlint

Oct 22, 2024
Read article
Webdev
4 min read

Self-Taught Developer's Guide to Thriving in Tech

How to turn your non-traditional background into your biggest asset

Sep 28, 2024
Read article
Webdev
4 min read

Remove Unnecessary NPM Packages with eslint-plugin-depend

We don't need packages to handle basic JavaScript tasks

Aug 13, 2024
Read article
Webdev
5 min read

Programming Trends to Watch in 2020 and Beyond

Here are my bets on the programming trends

Jul 19, 2019
Read article
Webdev
3 min read

CSS :has() - The Parent Selector We've Always Wanted

Transform your CSS with :has(), the game-changing selector that finally lets us style elements based on their children.

Dec 4, 2024
Read article
Webdev
3 min read

align-content: The Simplest Way to Center Content with CSS

Finally, we can center things in block layouts without flexbox gymnastics

Dec 13, 2024
Read article

This article was originally published on https://www.trevorlasn.com/blog/npq-protects-npm-installs-from-malicious-packages. It was written by a human and polished using grammar tools for clarity.