Complete configuration options for npq.
NPQ_PKG_MGR=yarn # Use yarn instead of npm
NPQ_PKG_MGR=pnpm # Use pnpm instead of npmNPQ_DISABLE_AUTO_CONTINUE=true # Always prompt for confirmationBy default, npq automatically proceeds with installation after a 15-second countdown when only warnings (no errors) are detected. When disabled, npq always prompts for explicit confirmation.
SNYK_TOKEN=your_token_here # Snyk API authentication
SNYK_API_TOKEN=your_token_here # Alternative Snyk token variable
SNYK_API_URL=https://api.snyk.io # Custom Snyk API endpointSnyk API provides more comprehensive vulnerability data. Without a token, npq falls back to OSV API.
GITHUB_TOKEN=your_token_here # GitHub API token for deprecation checksGitHub API is used for checking repository archive status. Without a token, rate limit is 60 requests/hour. With a token, rate limit is 5000 requests/hour.
Disable specific security checks via environment variables:
# Disable individual marshalls
MARSHALL_DISABLE_AGE=1 # Package age checks
MARSHALL_DISABLE_AUTHOR=1 # Author reputation
MARSHALL_DISABLE_DEPRECATION=1 # Deprecation detection
MARSHALL_DISABLE_DOWNLOADS=1 # Popularity checks
MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS=1 # Expired domain checks
MARSHALL_DISABLE_LICENSE=1 # License verification
MARSHALL_DISABLE_NEWBIN=1 # New binary detection
MARSHALL_DISABLE_PROVENANCE=1 # Provenance verification
MARSHALL_DISABLE_REPO=1 # Repository validation
MARSHALL_DISABLE_SCRIPTS=1 # Install script warnings
MARSHALL_DISABLE_SIGNATURES=1 # Registry signatures
MARSHALL_DISABLE_SNYK=1 # Vulnerability checks
MARSHALL_DISABLE_TYPOSQUATTING=1 # Name similarity checks
MARSHALL_DISABLE_VERSION_MATURITY=1 # Version age checks
# Use with npq commands
MARSHALL_DISABLE_SNYK=1 npq install express
# Disable multiple marshalls
MARSHALL_DISABLE_AGE=1 MARSHALL_DISABLE_DOWNLOADS=1 npq install package# Disable checks for internal/corporate packages
export MARSHALL_DISABLE_DOWNLOADS=1
export MARSHALL_DISABLE_AGE=1
export MARSHALL_DISABLE_TYPOSQUATTING=1
npq install @company/internal-package# Disable all non-security checks
export MARSHALL_DISABLE_AGE=1
export MARSHALL_DISABLE_AUTHOR=1
export MARSHALL_DISABLE_DOWNLOADS=1
export MARSHALL_DISABLE_REPO=1
export MARSHALL_DISABLE_TYPOSQUATTING=1
export MARSHALL_DISABLE_DEPRECATION=1
# Keep security checks enabled:
# - snyk (vulnerabilities)
# - scripts (malware)
# - signatures (integrity)
# - provenance (supply chain)
# - expiredDomains (account takeover)
npq install package# Disable slow network-dependent checks
export MARSHALL_DISABLE_REPO=1 # Avoids HTTP requests
export MARSHALL_DISABLE_DEPRECATION=1 # Avoids GitHub API calls
export MARSHALL_DISABLE_PROVENANCE=1 # Avoids sigstore verification
npq install packageUsage: npq install <package> [options]
Commands:
install [package...] Install one or more packages after auditing
Options:
--dry-run Run checks only, don't install
--plain Force non-rich text output
--packageManager Package manager to use (default: npm)
--pkgMgr Alias for packageManager
--disable-auto-continue Disable auto-continue countdown, always prompt
-h, --help Show help
-v, --version Show versionBy default, npq automatically proceeds with installation after a 15-second countdown when only warnings (no errors) are detected:
# Disable via CLI flag
npq install express --disable-auto-continue
# Disable via environment variable
export NPQ_DISABLE_AUTO_CONTINUE=true
npq install express
# Set permanently in shell profile
echo 'export NPQ_DISABLE_AUTO_CONTINUE=true' >> ~/.bashrc
echo 'export NPQ_DISABLE_AUTO_CONTINUE=true' >> ~/.zshrcWhen disabled, npq always prompts for explicit confirmation before proceeding with installation.