macOS
brew install npqlocal Homebrew formula metadata
brew
Audit npm packages before you install them. Version 3.20.0 via Homebrew; verified 2026-07-08.
install
brew install npqlocal Homebrew formula metadata
overview
Audit npm packages before you install them
history
npq is a Node.js command-line security wrapper that audits npm package installs before handing off to the real package manager. The npm package was created on 2017-11-28, and the GitHub repository was created on 2017-12-14.
The project grew out of concern about npm supply-chain risk: newly published packages, low-download typo targets, missing metadata, vulnerable packages, and pre/post-install scripts. Its README says npq performs syntactic heuristics and queries a CVE database, then delegates the actual install to npm by default or another package manager selected through NPQ_PKG_MGR.
The npm registry metadata consulted for this batch reported latest version 3.19.6 published on 2026-06-03 and 176 published versions. The README also documents npq-hero, an alias/wrapper path for embedding npq into day-to-day npm usage.
npq is smaller than npm-check-updates but has durable adoption among JavaScript developers who want an interactive pre-install safety check. Its README lists third-party coverage and mentions in npm security discussions, and the GitHub metadata consulted for this batch reported about 1.8k stars.
npm's public downloads API reported 32,098 downloads for npq from 2026-05-30 through 2026-06-28 and 171,829 downloads from 2025-06-29 through 2026-06-28. Homebrew analytics reported 1,862 formula installs over its 365-day window.
Package nerds use npq when installing unfamiliar packages, especially ad hoc CLI tools or direct dependencies discovered during development. Typical usage is npq install express, npx npq install express --dry-run, or aliasing npm to npq-hero so package installs pass through the checks automatically.
npq's checks are intentionally heuristic, not a proof of safety. The useful behavior is friction: warn on risky signals such as very new packages, missing README or license metadata, known vulnerabilities, install scripts, maintainer/publisher concerns, and low popularity before executing the actual package-manager install.
npq represents the npm ecosystem's shift from post-install vulnerability scanning toward pre-install package-health review. It is part of the same cultural space as minimum release age, lockfile linting, provenance checks, and package firewalls.
security posture
No matching local secret-handling manifest was found for npq. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
npq | cli | global executable | |
npq-hero | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/lirantal/npq
install metadata
| Package key | brew:npq |
|---|---|
| Version | 3.20.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/npq |
| Homepage | https://github.com/lirantal/npq |
| Repository | https://github.com/lirantal/npq |
| Upstream docs | https://github.com/lirantal/npq#readme |
| License | Apache-2.0 |
| Source archive | https://registry.npmjs.org/npq/-/npq-3.20.0.tgz |
| Last updated | 2026-07-08T09:52:12Z |
| Pulse | updated |
| Dependencies | node |
| Bottle | available (on all) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | npq |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.