Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Please consider using NVD for npm packages
See original GitHub issueIf I understand correctly, Dependency Check uses only NSP for checking npm packages. The following command produces a report which refers only to advisories provided by Node Security Project:
${OWASP_DEPENDENCY_CHECK_HOME}/bin/dependency-check.sh --project myproject --out dependency-check --scan package.json
But if NSP analyzer is disabled, then you’ll get an empty report:
${OWASP_DEPENDENCY_CHECK_HOME}/bin/dependency-check.sh --project myproject --out dependency-check --scan package.json --disableNSP
NVD contains CVEs reported against npm packages, for example:
This case is covered by the advisory from Node Security Project. But there may be issues which is not covered by Node Security Project. Furthermore, Node Security Project recently joined nmp, Inc. The advisories are still there, but I am not sure how Node Security Project is going to work in future.
It might make sense to update Dependency Check to be able to use NVD for checking npm packages.
Issue Analytics
- State:
- Created 5 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
NPM Inc. announced to close NSP in September 2018. How will the dependency-checker behave from September on regarding node modules?
it appears NSP was acquired by NPM, so we’re getting a [ERROR] api.nodesecurity.io now in the logs. Any ideas moving forward on what to use?