TL;DR
Newman, Postman’s official CLI runner, requires npm and Node.js in your CI pipeline. That introduces supply chain risk, adds dependency management overhead, and on Postman’s free tier, collection runs via the API are now rate-limited. This guide covers three alternatives for running API tests in CI without Newman: Apidog’s CLI runner, k6, and Hurl. Apidog is the most direct path if you have existing Postman collections because it imports them natively and has no per-run limits.
Introduction
Newman was a good idea. A CLI tool that runs Postman collections in CI pipelines made API testing portable and automatable. It shipped with Postman’s brand trust, integrated with GitHub Actions via a popular community action, and worked well enough that many teams built their entire API test automation strategy around it.
Then three problems emerged.
First, Newman is an npm package. Every pipeline that uses it pulls from the npm registry at build time. The 2021 ua-parser-js compromise and the 2022 node-ipc incident demonstrated that npm supply chain attacks are not theoretical. Security teams started asking why the API testing layer needed npm at all.
Second, Postman began limiting collection runs on free and basic paid tiers. Teams that relied on running collections via the Postman API as part of CI hit quotas and had to either upgrade plans or redesign their pipelines.
Third, Newman’s maintenance pace has slowed. Issues sit open on GitHub for months. Some newer Postman scripting APIs have inconsistent support in Newman.
The result: developers who built CI pipelines on Newman are now looking for alternatives. Here’s what’s available.
Option 1: Apidog CLI (recommended for Postman collection users)
Apidog’s CLI runner is the closest functional replacement for Newman if you’re already invested in Postman collections.
What it supports
- Postman Collection v2 and v2.1 format
- Postman environments (JSON export)
pm.test,pm.expect,pm.environment.set,pm.collectionVariables.set- Pre-request and post-request scripts
- Data-driven testing via CSV and JSON data files
- JUnit XML and JSON output for CI reporting
No npm required. The Apidog CLI is distributed as a standalone binary. You download it once, add it to your PATH, and it runs.
No per-run limits. Apidog doesn’t cap collection runs on any plan. A pipeline that runs 500 collections per day works the same as one that runs 5.
Installation
Download the CLI binary for your platform from apidog.com/cli or use the shell installer:
# macOS / Linux
curl -sSf https://apidog.com/cli/install.sh | sh
# Verify
apidog --version
For Docker-based CI runners, Apidog provides an official image:
FROM apidog/cli:latest
Running a Postman collection
Export your collection from Postman (File > Export > Collection v2.1) and your environment (Manage Environments > Export).
Then run:
apidog run collection.json \
--environment environment.json \
--reporter-junit results.xml
GitHub Actions example
name: API Tests
on: [push, pull_request]
jobs:
api-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Apidog CLI
run: curl -sSf https://apidog.com/cli/install.sh | sh
- name: Run API tests
run: |
apidog run ./tests/collection.json \
--environment ./tests/env.json \
--reporter-junit test-results.xml
- name: Upload test results
uses: actions/upload-artifact@v4
if: always()
with:
name: api-test-results
path: test-results.xml
No npm install, no package.json, no Node.js version matrix. The job runs faster and the dependency surface is smaller.
GitLab CI example
api-tests:
image: apidog/cli:latest
script:
- apidog run ./tests/collection.json
--environment ./tests/env.json
--reporter-junit test-results.xml
artifacts:
reports:
junit: test-results.xml
Option 2: k6
k6 is a load testing tool from Grafana Labs that also handles functional API testing. It’s worth knowing because it’s genuinely excellent for performance testing alongside functional checks.
What it supports
- HTTP/1.1, HTTP/2, WebSocket, gRPC
- JavaScript test scripts (ES6+)
- Thresholds for performance assertions
- Output to InfluxDB, Prometheus, Datadog
What it doesn’t support
- Native Postman collection format. You can convert Postman collections to k6 scripts using the
postman-to-k6converter, but the output often needs manual cleanup, especially for complex scripts. - Postman’s
pm.*API natively. The conversion layer emulates it but with gaps.
When to choose k6
If you need to combine functional testing with performance testing in the same pipeline – for example, verifying API correctness under load – k6 is worth the migration cost. If you just want to replace Newman for functional tests, Apidog is faster to set up.
Basic k6 usage in CI
# Install (Linux)
sudo apt-get install k6
# Run a test script
k6 run api-tests.js
k6 CI outputs pass/fail based on threshold definitions in your script. JUnit XML output is available via the k6-reporter package.
Option 3: Hurl
Hurl is an open-source HTTP testing tool written in Rust. It’s fast, has zero runtime dependencies, and uses a plain-text DSL for defining requests and assertions.
What it supports
- HTTP/1.1 and HTTP/2
- JSON, XPath, and regex assertions
- Variables and chaining requests
- HTML, JUnit, and JSON output
What it doesn’t support
- Postman collection format. Hurl uses its own
.hurlfile format. There’s no automated converter. - JavaScript test scripts. Assertions are declarative, not programmatic.
When to choose Hurl
If you’re willing to rewrite your tests in Hurl’s DSL, you get a remarkably small binary with no runtime. The binary is a single 10 MB file. Hurl is a strong choice for new projects where you’re not carrying Postman collection debt.
Basic Hurl test example
GET https://api.example.com/users/1
HTTP 200
[Asserts]
jsonpath "$.id" == 1
jsonpath "$.email" isString
Hurl in GitHub Actions
- name: Install Hurl
run: |
curl -LO https://github.com/Orange-OpenSource/hurl/releases/latest/download/hurl-x86_64-unknown-linux-gnu.tar.gz
tar -xf hurl-*.tar.gz
sudo mv hurl /usr/local/bin/
- name: Run API tests
run: hurl --test tests/*.hurl
Comparing the three options
| Feature | Apidog CLI | k6 | Hurl |
|---|---|---|---|
| Postman import | Native | Converter (lossy) | No |
| npm dependency | No | No | No |
| JavaScript scripting | Yes (pm.* API) | Yes (ES6) | No (DSL only) |
| Performance testing | No | Yes | No |
| Binary size | ~50 MB | ~30 MB | ~10 MB |
| Free run limits | None | None | None |
| JUnit output | Yes | Via plugin | Yes |
Migrating from Newman: practical steps
If you have an existing Newman-based pipeline, here’s the migration path to Apidog CLI:
Export your collections. In Postman, right-click each collection and export as v2.1. Export your environments separately.
Install Apidog CLI. Add the install step to your CI config.
Replace the Newman command. A typical Newman command looks like:
newman run collection.json -e environment.json --reporters junit --reporter-junit-export results.xml
The Apidog equivalent:
apidog run collection.json --environment environment.json --reporter-junit results.xml
The flag structure is similar by design.
Check script compatibility. Run your collection locally with Apidog CLI before committing the CI change. Most pm.* scripts run without modification. Scripts that use pm.require to load external modules need adjustment.
Remove Node.js from your CI config. If Newman was the only reason Node.js appeared in your pipeline, you can remove the Node.js setup step and the npm install step entirely.
FAQ
Is Newman officially deprecated?No, as of early 2026 Newman is still maintained by Postman. But the maintenance pace is slow and several open issues affect real-world use cases. It’s not going away soon, but building new pipelines on it carries increasing risk.
Does Apidog CLI require an Apidog account?For running locally exported collections, no. For syncing collections from an Apidog workspace, yes. If you’re migrating from Postman, you can run purely from exported JSON files.
Can Apidog CLI run data-driven tests?Yes. Pass a CSV or JSON data file with the --iteration-data flag. This is equivalent to Newman’s -d flag for data-driven iteration.
What’s the supply chain risk with npm-based runners?Any package pulled from npm at CI time is a potential attack surface. Compromised packages can exfiltrate environment variables, which in a CI context includes API keys and tokens. A binary runner downloaded over HTTPS and pinned to a checksum avoids this class of risk.
Does k6 support gRPC testing?Yes. k6 has native gRPC support, which makes it one of the few open-source tools that handles both REST and gRPC in the same test suite. If your API surface includes gRPC endpoints, k6 is worth evaluating.
Does Hurl support authentication headers?Yes. Hurl supports custom headers, including Authorization, Bearer, and cookie-based auth. Variables allow you to inject secrets from environment variables at runtime.
Newman’s era of being the default CI choice for API tests is ending. The supply chain risks are real, the free tier limits have changed the math for many teams, and better alternatives now exist. The migration to a Newman-free pipeline is straightforward, especially if you’re moving to Apidog CLI with your existing Postman collections.
