npq offloading responsibilities to package manager (yarn)

Question

npq offloading responsibilities to package manager (yarn)

Closed this issue 7 months ago · 5 comments

Question:

@lirantal Can you explain a bit more how npq 'offloads' responsibilities to yarn package manager please?

I was following the setup in the docs to get the npq package working with yarn in CI, however in our GitLab job logs I'm not seeing any specific output during the dep packages installation and I'm not sure if the package is working.

https://www.npmjs.com/package/npq#offload-to-package-managers

Thanks!

Answer 1 · 2024-04-14T15:27:11.000Z

If you only need to test a package, useful for CI, then use the npq binary directly like this:

npq --packageManager yarn add express

If you need to enable this behind the scenes because you are using npm or yarn and want to invoke those directly but you aliased them to npq-hero then you can use this type of alias with a definition for an environment variable:

alias yarn="NPQ_PKG_MGR=yarn npq-hero"

Answer 2 · 2024-04-14T19:05:11.000Z

Hi @lirantal thank you for the reply!

I am using the 2nd command in our pipeline before calling yarn install to install the packages.

I'm just not sure what the expected behaviour should be as there isn't any information being logged to indicate whether npq is working as expected or not.

Here is a code snippet from our CI pipeline:

 before_script:
    - |
      yarn global add npq
      alias yarn="NPQ_PKG_MGR=yarn npq-hero"
      type yarn
  script:
    - CI_JOB_SKIP_EXIT_CODE=0
    - echo 'yarn-offline-mirror ".yarn-cache/"' >> .yarnrc
    - echo 'yarn-offline-mirror-pruning true' >> .yarnrc
    - yarn install --frozen-lockfile --no-progress --prefer-offline --network-timeout 1000000

Answer 3 · 2024-04-14T19:38:39.000Z

Ok, I see where the confusion lies :-)

Here's more context:

npq isn't suited yet to be ran inside a CI, so it can't yet detect it, and it expects interaction on the TTY (see the demo in the README that shows at the end the prompt for Y/N, which you can't do in CI)
npq requires a list of packages to be installed, which it runs checks for. So if you do just a yarn install or npm install then npq doesn't get triggered and doesn't check you existing packages

If you do want to integrate npq with a CI, for example, to check during PRs when a new package is introduced, and you have a way to provide that package (or packages) as a list to npq then you can do the following:

$ npq --dry-run install express
⚠ Supply Chain Security
  ✔ Checking for known vulnerabilities
  ✔ Verifying registry signatures for package
  ✖ Verifying package provenance
  ✖ Identifying package author...
✔ Package Health
  ✔ Checking for typosquatting
  ✔ Checking availability of a LICENSE
  ✔ Checking package maturity
✔ Malware Detection
  ✔ Checking package for pre/post install scripts
  ✔ Identifying package repository...
  ✔ Detecting expired domains for authors account...
  ✔ Checking package download popularity

Detected possible issues with the following packages:
  [express@latest]
    - Unable to verify provenance: the package was published without any attestations.
    - The user wesleytodd <wes@wesleytodd.com> published this package for the first time only 5 days prior to this version.

As you can see, the CLI is invoked with a --dry-run and a you can grep for possible issues (there's no exit code defined that will break the build)

Answer 4 · 2024-04-14T20:50:24.000Z

Thanks for the detailed reply @lirantal :)

I have tried npq locally and it looks really great! As a team, it would benefit us to have this running in CI as a longer term, automated solution, hence why I was trying it out in that way. We have a lot of dependencies we install before we kick of build and test jobs.

Answer 5 · 2024-04-14T20:54:55.000Z

Yep, makes sense, and thanks for the kind words :)

I'll see about working out a roadmap for something more fitting for CI and all deps scanning.