Since we don't use grunt in this repo, we can probably just do some clever coding in .travis.yml to do a local install of nsp and run it against the package.json file (which is less efficient than npm-shrinkwrap.json linting, but we don't use shrinkwrap either).
$ ./node_modules/.bin/nsp package
No vulnerable modules found
But basically it checks each dependency (nested) for potentially compromised modules using https://nodesecurity.io API. This has come in very useful recently in other repos where there were some Hapi issues which were quickly patched. But getting good warning in our Travis logs is always nice.
Plus it doesn't add too much time to our Travis build process:
$ time nsp package
No vulnerable modules found
real 0m5.236s
user 0m2.274s
sys 0m0.261s
Since we don't use grunt in this repo, we can probably just do some clever coding in .travis.yml to do a local install of
nsp
and run it against the package.json file (which is less efficient than npm-shrinkwrap.json linting, but we don't use shrinkwrap either).I recon it may be as easy as this pseudo-yaml:
Running that locally for me gives me:
But basically it checks each dependency (nested) for potentially compromised modules using https://nodesecurity.io API. This has come in very useful recently in other repos where there were some Hapi issues which were quickly patched. But getting good warning in our Travis logs is always nice.
Plus it doesn't add too much time to our Travis build process: