npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

nsp-2

v2.6.3

Published

The Node Security (nodesecurity.io) command line interface

Downloads

17

Readme

nsp Build Status

About Node Security

Node Security helps you keep your node applications secure. With Node Security you can:

  • Make use of the CLI tool to help identify known vulnerabilities in your own projects.
  • Get access to Node Security news and information from the ^lift team.

Installing the CLI (nsp)

  • To install the Node Security command line tool: npm install -g nsp
  • Then run nsp --help to find out more.

Output Format

You can adjust how the client outputs findings by specifying one of the following format options:

  • default
  • summary
  • json
  • codeclimate
  • none

Example: nsp check --output summary

Additionally, you can use third-party formatters. The packages of custom formatters must adhere to the naming scheme nsp-formatter-<name> and can then be referenced by that name:

$ npm install -g nsp nsp-formatter-checkstyle
$ nsp check --output checkstyle

Please note that in case of naming conflicts built-in formatters (as listed above) take precedence. For instance, nsp-formatter-json would never be used since nsp ships with a json formatter.

Exceptions

The Node Security CLI supports adding exceptions. These are advisories that you have evaluated and personally deemed unimportant for your project.

In order to leverage this capability, create a .nsprc file in the root of your project with content like the following:

{
  "exceptions": ["https://nodesecurity.io/advisories/12"]
}

The URLs used in the array should match the advisory link that the CLI reports. With this in place, you will no longer receive warnings about any advisories in the exceptions array.

Be careful using this feature. If you add code later that is impacted by an excluded advisory, Node Security has no way of knowing. Keep a careful eye on your exceptions.

.nsprc is read using rc, so it supports comments using json-strip-comments.

Proxy Support

The Node Security CLI has proxy support by using proxy-agent.

The currently implemented protocol mappings are listed in the table below:

| Protocol | Example |:----------:|:--------: | http | http://proxy-server-over-tcp.com:3128 | https | https://proxy-server-over-tls.com:3129 | socks(v5)| socks://username:[email protected]:9050 (username & password are optional) | socks5 | socks5://username:[email protected]:9050 (username & password are optional) | socks4 | socks4://some-socks-proxy.com:9050 | pac | pac+http://www.example.com/proxy.pac

To configure the proxy set the proxy key in your .nsprc file. This can be put in the root of your project or in your home directory.

{
    "proxy": "http://127.0.0.1:8080"
}

Offline Mode

nsp has an offline mode which was previously undocumented. We recommend not relying on offline support as it may become unsupported in the future as new features are added.

First you need to obtain the offline advisories database. Do this by running the npm run setup-offline script provided by nsp

Second you need to tell nsp where to find that file. You can do that 3 ways.

  1. Put it in the actual nsp module folder and no other configuration is required
  2. Specify it in the .nsprc configuration file advisoriesPath: "/path/to/advisories.json"
  3. Specify it from the command line when you call nsp nsp check --offline --advisoriesPath=/path/to/advisories.json

When you call nsp check you will want to use the --offline flag

A couple of notes

  • Offline mode requires that your project include a npm-shrinkwrap.json file.
  • Because of npm3 flattening reported paths may be incorrect.

Code Climate Node Security Engine

codeclimate-nodesecurity is a Code Climate engine that wraps the Node Security CLI. You can run it on your command line using the Code Climate CLI, or Code Climate's hosted analysis platform.

Note that this engine only works if your code has a npm-shrinkwrap.json file committed.

Testing

First, build this repo with docker

git clone [email protected]:nodesecurity/nsp
cd nsp
docker build -t codeclimate/codeclimate-nodesecurity .

Install the codeclimate CLI

brew tap codeclimate/formulae
brew install codeclimate

Go into your project's directory and enable codeclimate

codeclimate init

Then edit .codeclimate.yml to add the engine like so

---
engines:
  nodesecurity:
    enabled: true
exclude_paths: []

And finally run it

codeclimate analyze --dev

Suggesting Changes to Advisories

Should you come across data in an advisory that you feel is wrong or is a false positive please let us know at [email protected]. We endeavor to make this process better in the future, however this is the best place to resolve these issues at the present.

Contact

Node Security (+) is brought to you by ^lift security.

License

Copyright (c) 2016 by ^Lift Security

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and
limitations under the License.

Note: the above text describes the license for the code located in this repository only. Usage of this tool or the API this tool accesses implies acceptance of our terms of service.

nsp npm cdn