[*]Imagine this scenario. Install the application on a Linux box. Packages are in the early stages of development and are only available in the NPM repository. You are a bit paranoid and skeptical about the authenticity of the package. what would you do? If you are a programmer, you can check the code in the package to see if there are any problems. If you are unfamiliar with coding, you must blindly install the package. To solve this problem, there is a program named “Npq” Can be used to securely install packages using Npm Or yarn Linux package manager.
[*]npq audits the packages it installs before installing them. If there are known vulnerabilities, a warning is displayed so you can safely skip the installation.
[*]Npq performs the following steps to check if the package is safe.
- Check Snyk vulnerability DB Check for vulnerabilities in the package. If there are known vulnerabilities, a warning is displayed.
- Check the age of the package. If the age of the package is less than 22 days, a warning message will be displayed.
- Check the number of package downloads. If less than 20 packages were downloaded last month, a warning will be displayed.
- Check if there is a README for the package. If there is no README, a warning will be displayed.
- Check if the package has a pre or post script. These scripts may be malicious and will display a warning message.
[*]If no warnings appear, the package is probably safe. Note what I said-the package is Probably safe. But there is Safety is not guaranteed. There may still be malicious or vulnerable packages that are not published to the Synk database and pass npq checks.
[*]After all tests have been run, npq hands off the actual package installation process to Npm or Yarn package manager. Npm is the default.
[*]Note that Npq does not prevent package installation. It only audits the package for potential security issues and warns you of known vulnerabilities. It is up to you to decide whether to ignore the installation or continue at your own risk.
[*]Make sure you have Nodejs installed on your Linux box. If not, see the following link:
- How to install NodeJS on Linux
[*]After installing Nodejs, execute the following command to install Npq.
$ npm install -g npq
[*]The above command will place the two binaries npq And npq-hero On your way.
Securely install packages using Npm or Yarn on Linux
[*]To audit and install a package, for example, TLDR, Just run:
$ npq install tldr
✔ Checking package maturity ✖ Identifying package author... ✔ Checking package download popularity ✔ Checking availability of a README ✔ Identifying package repository... ✔ Checking package for pre/post install scripts ✖ Checking for known vulnerabilities Detected possible issues with the following packages: [tldr] - the package description has no e-mail associated with author(s). Proceed with care. [*] - Unable to query for known vulnerabilities. Install snyk and authenticate or provide a SNYK_TOKEN env variable (https://snyk.io) ? Would you like to continue installing package(s)? (y/N)
[*]As you can see in the output above, there are three warnings.
- Npq could not identify the creator of the tldr package.
- There is no email address in the package description,
- You have not yet set up and authenticated with the Snyk database. To install the Synk CLI and authenticate with the Snyk database, This link.
[*]If you don’t mind the warning and trust it to be safe, just type Y Proceed with the package installation.
[*]Npq is just a pre-step tool to check for known vulnerabilities in npm packages before actually installing them. If you use it frequently in your daily work, Create an alias As below.
$ alias npm='npq-hero'
[*]From now on, you can audit npm packages and install them using commands.
$ npm install package_name
Change the default package manager
[*]As already mentioned, Npq takes over the installation process Npm After auditing them, the package manager by default. To set Yarn as the default package manager, specify an environment variable.
[*]To create an alias with yarn as the package manager:
alias yarn="NPQ_PKG_MGR=yarn npq-hero"
[*]Hope it helps.