How To Safely Install Packages Using Npm Or Yarn On Linux
Picture this scenario. You want to install an application on your Linux box. The package is in the early development stage and it is available only on the NPM repository. You are bit paranoid and skeptical about the authenticity of the package. What would you do? If you’re programmer, you might check the package’s code and see if there are any issues in it. If you don’t know about coding, you have no choice but blindly trust the package and install it anyway. To remedy this problem, there is a program named “npq” that can be used to safely install packages using Npm or Yarn package managers in Linux.
The npq will audit the packages you’d like to install before installing them. If there are any known vulnerabilities, it will display the warning, so that you can safely skip the installation.
Npq will perform the following steps to verify if the package is safe or not.
- It will check Snyk Vulnerability DB to make sure if there are any vulnerabilities exists for the package. If there are any known vulnerabilities, it will display the warning.
- Check the age of the package. If the package’s age is less than 22 days, it will show a warning message.
- Check package download count. If the package’s download count is less than 20 in the last month, it will show a warning.
- Check if there is a README for the package. If there is no README, it will show a warning.
- Check if the package has any pre or post scripts. These script could be malicious, so it will display a warning message.
If you don’t see any warnings, the package is probably safe. Please note that I said – the package is PROBABLY safe. But there’s no guaranteed safety. A malicious or vulnerable package could still exist that has no disclosure published in Synk database and passes npq’s checks.
After all tests have been performed, npq will handover the installation process of the actual package to Npm or Yarn package manager. Npm is default.
Please be mindful that Npq will not prevent you from installing the packages. It will only audit a package for possible security issues and display the warning if there any known vulnerabilities. It is up to you to decide whether to ignore the installation or continue at your own risk.
Make sure you have installed Nodejs on your Linux box. If not, refer the following link.
After installing Nodejs, run the following command to install Npq:
$ npm install -g npq
The above command will place two binaries namely npq and npq-hero in your path.
Safely Install Packages Using Npm Or Yarn On Linux
To audit and install package, for example tldr, simply run:
$ npq install tldr
✔ Checking package maturity ✖ Identifying package author... ✔ Checking package download popularity ✔ Checking availability of a README ✔ Identifying package repository... ✔ Checking package for pre/post install scripts ✖ Checking for known vulnerabilities Detected possible issues with the following packages: [tldr] - the package description has no e-mail associated with author(s). Proceed with care. [*] - Unable to query for known vulnerabilities. Install snyk and authenticate or provide a SNYK_TOKEN env variable (https://snyk.io) ? Would you like to continue installing package(s)? (y/N)
As you see in the above output, there are three warnings:
- Npq couldn’t identify the author of tldr package,
- There is no email address in the package’s description,
- I haven’t setup and authenticated with Snyk database yet. To install Synk CLI and authenticate with Snyk database, refer this link.
If you don’t care about the warnings and trust it is safe, just type Y to continue installing the package.
Npq is just a pre-step tool to check for known vulnerabilities of the npm packages before actually installing them. If use it often in your day to day work, simply create an alias like below.
$ alias npm='npq-hero'
From now on, you can simply audit a npm package and install it using command:
$ npm install package_name
Change default package manager
Like I already mentioned, Npq will handover the installation process to Npm package manager by default after auditing them. If you want to set Yarn as default package manager, specify an environment variable:
To create an alias with yarn as the package manager, do:
alias yarn="NPQ_PKG_MGR=yarn npq-hero"
Hope this helps.