Automic VaultAutomic Vault

brew

使用 Homebrew 安装 npq

查看 npq 的安装路径、可执行文件、元数据以及面向 AI 代理工作流的安全说明。

安装

其他安装命令

macOS

Homebrew已验证 · 100%
brew install npq

local Homebrew formula metadata

概览

软件包摘要

Audit npm packages before you install them

命令和别名

  • npq
  • npq-hero

历史

项目历史与用法

npq is a Node.js command-line security wrapper that audits npm package installs before handing off to the real package manager. The npm package was created on 2017-11-28, and the GitHub repository was created on 2017-12-14.

项目历史

The project grew out of concern about npm supply-chain risk: newly published packages, low-download typo targets, missing metadata, vulnerable packages, and pre/post-install scripts. Its README says npq performs syntactic heuristics and queries a CVE database, then delegates the actual install to npm by default or another package manager selected through NPQ_PKG_MGR.

The npm registry metadata consulted for this batch reported latest version 3.19.6 published on 2026-06-03 and 176 published versions. The README also documents npq-hero, an alias/wrapper path for embedding npq into day-to-day npm usage.

采用历史

npq is smaller than npm-check-updates but has durable adoption among JavaScript developers who want an interactive pre-install safety check. Its README lists third-party coverage and mentions in npm security discussions, and the GitHub metadata consulted for this batch reported about 1.8k stars.

npm's public downloads API reported 32,098 downloads for npq from 2026-05-30 through 2026-06-28 and 171,829 downloads from 2025-06-29 through 2026-06-28. Homebrew analytics reported 1,862 formula installs over its 365-day window.

使用方式

Package nerds use npq when installing unfamiliar packages, especially ad hoc CLI tools or direct dependencies discovered during development. Typical usage is npq install express, npx npq install express --dry-run, or aliasing npm to npq-hero so package installs pass through the checks automatically.

npq's checks are intentionally heuristic, not a proof of safety. The useful behavior is friction: warn on risky signals such as very new packages, missing README or license metadata, known vulnerabilities, install scripts, maintainer/publisher concerns, and low popularity before executing the actual package-manager install.

为什么软件包爱好者会关心

npq represents the npm ecosystem's shift from post-install vulnerability scanning toward pre-install package-health review. It is part of the same cultural space as minimum release age, lockfile linting, provenance checks, and package firewalls.

时间线

  • 2017-11-28: npm registry package npq created.
  • 2017-12-14: GitHub repository lirantal/npq created.
  • 2026-06-03: npm registry metadata reports version 3.19.6 published.

Related projects

  • npm audit
  • Snyk
  • Socket Firewall
  • lockfile-lint
  • npq-hero
  • pnpm
  • bun

安全态势

尚未找到受保护工具覆盖

没有找到 npq 的匹配本地密钥处理 manifest。Nucleus 软件包元数据仍在此发布,以便未来覆盖拥有稳定的软件包 URL。

安装行为

  • formula 元数据中未记录 Homebrew post-install 钩子。
  • Homebrew bottle 元数据适用于 1 个平台目标。
  • 安装时包含 1 个运行时依赖。

建议审查

在无人值守的代理使用前,请检查该工具是否读取明文凭据、写入远程状态、发布制品或调用插件。

可执行文件

已安装的可执行文件

命令类型暴露范围备注
npqcli全局可执行文件
npq-herocli全局可执行文件

新鲜度

版本和新鲜度

这些信号区分页生成时间、软件包管理器活动和上游发布比较。只有存在证据 URL 和可比较版本时,才会提示版本落后。

页面生成时间2026-07-08
管理器版本3.20.0
管理器更新时间2026-07-08
本地数据OK
上游not checked
检测到的最新版本未检测到

https://github.com/lirantal/npq

安装元数据

软件包元数据

软件包键brew:npq
版本3.20.0
软件包管理器Homebrew
软件包管理器页面https://formulae.brew.sh/formula/npq
主页https://github.com/lirantal/npq
仓库https://github.com/lirantal/npq
上游文档https://github.com/lirantal/npq#readme
许可证Apache-2.0
源码归档https://registry.npmjs.org/npq/-/npq-3.20.0.tgz
最后更新2026-07-08T09:52:12Z
Pulseupdated
依赖node
Bottle可用 (于 all)
Homebrew post-install未定义
服务未声明

注册表事实

源数据库详情

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namenpq
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

来源线索

由仓库数据生成

此页面由 av-webscripts/generate-pkg-sqlite.py 生成的私有软件包 SQLite 工件提供。

使用的来源

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • package relationship graph
  • package version freshness
  • package-page enrichment