Tools

Here are some tools you can use to keep known vulnerabilities from creeping into your projects

nsp

nsp is the main command line interface to the Node Security Platform. It allows for auditing a package.json or npm-shrinkwrap.json file against the API.

Installation

npm install nsp --global

Example Usage

From inside your project directory

nsp check

gulp-nsp

A gulp plugin that runs the Node Security Platform audit on your package.json or npm-shrinkwrap.json

Installation

npm install gulp-nsp --save-dev

Then in your gulpfile, add the following task like so:

var gulpNSP = require('gulp-nsp');
 
//To check your package.json
gulp.task('nsp', function (cb) {
  gulpNSP({package: __dirname + '/package.json'}, cb);
});
 
//To check your shrinkwrap.json
gulp.task('nsp', function (cb) {
  gulpNSP({shrinkwrap: __dirname + '/npm-shrinkwrap.json'}, cb);
});
 
//If you don't want to stop your gulp flow if some vulnerabilities have been found use the stopOnError option:
gulp.task('nsp', function (cb) {
  gulpNSP({
    package: __dirname + '/package.json',
    stopOnError: false
  }, cb);
});
 
//For enterprises building behind a proxy (HTTP_PROXY or HTTPS_PROXY), use the proxy option:
gulp.task('nsp', function (cb) {
  gulpNSP({
    shrinkwrap: __dirname + '/npm-shrinkwrap.json',
    proxy: process.env.HTTPS_PROXY
  }, cb);
});

grunt-nsp

Run Node Security as a grunt task

Installation

npm install grunt-nsp --save-dev

Then in your Gruntfile, it can be enabled like this:

grunt.initConfig({
  nsp: {
    package: grunt.file.readJSON('package.json')
  }
});
 
grunt.loadNpmTasks('grunt-nsp');

vscode-nsp

A plugin for Visual Studio Code that runs the Node Security Platform audit from right within your editor

Installation

From within VS Code, press ⌘+P and run the following command

ext install vscode-nsp