MINOR Replace nsp with npm audit

2026-03-13 08:40:16 +08:00 · 2018-08-19 17:05:05 +12:00
parent a409e75304
commit b892342e52
5 changed files with 7 additions and 20 deletions
--- a/README.md
+++ b/README.md
@@ -723,7 +723,7 @@ All statements above will return false if used with `===`

 <a href="https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities" target="_blank"><img src="https://img.shields.io/badge/%E2%9C%94%20OWASP%20Threats%20-%20A9:Known%20Vulnerabilities%20-green.svg" alt=""/></a>

-**TL;DR:** With the npm ecosystem it is common to have many dependencies for a project. Dependencies should always be kept in check as new vulnerabilities are found. Use tools like [npm audit](https://docs.npmjs.com/cli/audit), [nsp](https://nodesecurity.io/) or [snyk](https://snyk.io/) to track, monitor and patch vulnerable dependencies. Integrate these tools with your CI setup so you catch a vulnerable dependency before it makes it to production
+**TL;DR:** With the npm ecosystem it is common to have many dependencies for a project. Dependencies should always be kept in check as new vulnerabilities are found. Use tools like [npm audit](https://docs.npmjs.com/cli/audit) or [snyk](https://snyk.io/) to track, monitor and patch vulnerable dependencies. Integrate these tools with your CI setup so you catch a vulnerable dependency before it makes it to production.

 **Otherwise:** An attacker could detect your web framework and attack all its known vulnerabilities.

--- a/assets/images/greenkeeper.png
+++ b/assets/images/greenkeeper.png
--- a/assets/images/npm-audit.png
+++ b/assets/images/npm-audit.png
--- a/assets/images/snyk.png
+++ b/assets/images/snyk.png
--- a/sections/security/dependencysecurity.md
+++ b/sections/security/dependencysecurity.md
@@ -8,32 +8,19 @@ There is a number of tools available to help identify third-party packages in No

 ### Table of Contents

- [Node Security Platform (nsp)](#node-security-platform)
+- [NPM audit](#npm-audit)
 - [Snyk](#snyk)
 - [Greenkeeper](#greenkeeper)

-### Node Security Platform (nsp)
+### NPM Audit

-Node Security Platform is a set of services targeted towards dependency management with a focus on security.
+`npm audit` is a new cli tool introduced with NPM@6. 

-The most common use of this tool is the service nsp Live. This is a service which integrates into a project's CI workflow and Github Pull Requests to identify vulnerabilities present in the project. The benefits of this mean that when new modules are added, any vulnerabilites are automatically identified in order for the security risk to be mitigated before these dependencies reach master. This also includes new vulnerabilites which are found in existing dependencies, as well as when new dependencies are introduced.
+Running `npm audit` will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, path, and other information, and, if available, commands to apply patches to resolve vulnerabilities.

-There is also an nsp CLI tool, which traverses your dependencies checking for vulnerabilities against the advisories list. To use this tool:
-Install the module globally.
+![npm audit example](/assets/images/npm-audit.png)

-`npm install -g nsp`
-
-Run the CLI tool from the root of the project directory.
-
-`nsp check`
-
-An example output of `nsp check`:
-
-![nsp check example](/assets/images/nsp.png)
-
-🔗 [Read on: NSP website](https://nodesecurity.io/)
-
-🔗 [Read on: Example advisory for a recent vulnerability in moment.js](https://nodesecurity.io/advisories/532)
+🔗 [Read on: NPM blog](https://docs.npmjs.com/getting-started/running-a-security-audit)

 ### Snyk