# 使用 Homebrew 安装 npq

查看 npq 的安装路径、可执行文件、元数据以及面向 AI 代理工作流的安全说明。

## 安装

```sh
sudo av install brew:npq
```

其他安装命令:

### macOS

- Homebrew (100%):

```sh
brew install npq
```

  证据: local Homebrew formula metadata

## 软件包事实

- **软件包键:** brew:npq
- **软件包管理器:** Homebrew
- **软件包管理器页面:** <https://formulae.brew.sh/formula/npq>
- **版本:** 3.20.0
- **来源摘要:** Audit npm packages before you install them
- **主页:** <https://github.com/lirantal/npq>
- **仓库:** <https://github.com/lirantal/npq>
- **上游文档:** <https://github.com/lirantal/npq#readme>
- **许可证:** Apache-2.0
- **源码归档:** <https://registry.npmjs.org/npq/-/npq-3.20.0.tgz>
- **最后更新:** 2026-07-08T09:52:12Z
- **已生成:** 2026-07-08T18:08:21+00:00

## 可执行文件

- npq (cli)
- npq-hero (cli)
- npq (别名)
- npq-hero (别名)

## 依赖

- node

## 安装行为

- post-install 钩子: 未定义
- Bottle: 可用 于 all

## 版本和新鲜度

- 页面生成时间: 2026-07-08
- 管理器版本: 3.20.0
- 管理器更新时间: 2026-07-08
- 本地数据: OK
- 上游仓库: https://github.com/lirantal/npq
- 信息: No cached GitHub release or tag data was available.
## 项目历史与用法

npq is a Node.js command-line security wrapper that audits npm package installs before handing off to the real package manager. The npm package was created on 2017-11-28, and the GitHub repository was created on 2017-12-14.

### 项目历史

The project grew out of concern about npm supply-chain risk: newly published packages, low-download typo targets, missing metadata, vulnerable packages, and pre/post-install scripts. Its README says npq performs syntactic heuristics and queries a CVE database, then delegates the actual install to npm by default or another package manager selected through NPQ_PKG_MGR.

The npm registry metadata consulted for this batch reported latest version 3.19.6 published on 2026-06-03 and 176 published versions. The README also documents npq-hero, an alias/wrapper path for embedding npq into day-to-day npm usage.

### 采用历史

npq is smaller than npm-check-updates but has durable adoption among JavaScript developers who want an interactive pre-install safety check. Its README lists third-party coverage and mentions in npm security discussions, and the GitHub metadata consulted for this batch reported about 1.8k stars.

npm's public downloads API reported 32,098 downloads for npq from 2026-05-30 through 2026-06-28 and 171,829 downloads from 2025-06-29 through 2026-06-28. Homebrew analytics reported 1,862 formula installs over its 365-day window.

### 使用方式

Package nerds use npq when installing unfamiliar packages, especially ad hoc CLI tools or direct dependencies discovered during development. Typical usage is npq install express, npx npq install express --dry-run, or aliasing npm to npq-hero so package installs pass through the checks automatically.

npq's checks are intentionally heuristic, not a proof of safety. The useful behavior is friction: warn on risky signals such as very new packages, missing README or license metadata, known vulnerabilities, install scripts, maintainer/publisher concerns, and low popularity before executing the actual package-manager install.

### 为什么软件包爱好者会关心

npq represents the npm ecosystem's shift from post-install vulnerability scanning toward pre-install package-health review. It is part of the same cultural space as minimum release age, lockfile linting, provenance checks, and package firewalls.

### 时间线

- 2017-11-28: npm registry package npq created.
- 2017-12-14: GitHub repository lirantal/npq created.
- 2026-06-03: npm registry metadata reports version 3.19.6 published.

### Related projects

- npm audit
- Snyk
- Socket Firewall
- lockfile-lint
- npq-hero
- pnpm
- bun

### 来源

- <https://api.github.com/repos/lirantal/npq>
- <https://api.npmjs.org/downloads/point/last-month/npq>
- <https://api.npmjs.org/downloads/point/last-year/npq>
- <https://formulae.brew.sh/api/formula/npq.json>
- <https://github.com/lirantal/npm-security-best-practices>
- <https://github.com/lirantal/npq>
- <https://registry.npmjs.org/npq>


## 安全说明

没有找到 npq 的匹配本地密钥处理 manifest。Nucleus 软件包元数据仍在此发布，以便未来覆盖拥有稳定的软件包 URL。


## 源数据库详情

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** npq
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable


## 相关链接

- [Source-control packages](https://www.automicvault.com/zh-hans/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Package publisher tools](https://www.automicvault.com/zh-hans/pkg/package-publishers/) - Belongs to a package publishing or registry command family.
- [Terminal utility packages](https://www.automicvault.com/zh-hans/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/zh-hans/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [node](https://www.automicvault.com/zh-hans/pkg/brew/node/) - Runtime dependency declared by Homebrew.
- [osv-scanner](https://www.automicvault.com/zh-hans/pkg/brew/osv-scanner/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [pip-audit](https://www.automicvault.com/zh-hans/pkg/brew/pip-audit/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [pwned](https://www.automicvault.com/zh-hans/pkg/brew/pwned/) - Shares av.db curated category or tags: cli, nodejs, security.
- [ratchet](https://www.automicvault.com/zh-hans/pkg/brew/ratchet/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [scorecard](https://www.automicvault.com/zh-hans/pkg/brew/scorecard/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [aide](https://www.automicvault.com/zh-hans/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/zh-hans/pkg/brew/aircrack-ng/) - Shares av.db curated category or tags: cli, security.
- [amass](https://www.automicvault.com/zh-hans/pkg/brew/amass/) - Shares av.db curated category or tags: cli, security.
- [cdxgen](https://www.automicvault.com/zh-hans/pkg/brew/cdxgen/) - Both packages touch the same language runtime or ecosystem. Shared terms: audit, chain, cli, node, security.

## Combined YAML source

View the package source record on GitHub. [combined/npq.yml](https://github.com/automic-vault/db/blob/main/combined/npq.yml)


## 来源

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
