Running NSP Offline
You’ll need to do this setup before you lose internet access.
First you’ll need to create an npm-shrinkwrap.json for each project. From the documentation:
This command repurposes
package-lock.jsoninto a publishable
npm-shrinkwrap.jsonor simply creates a new one. The file created and updated by this command will then take precedence over any other existing or future
$ npm shrinkwrap
If you run into errors you may need to follow the steps here to get npm shrinkwrap to work.
Next we’ll need to download the advisories.json file that has all of the known insecure packages nsp checks. You can download this to your home directory and point nsp to it during the scan.
$ curl -sS https://api.nodesecurity.io/advisories -o ~/advisories.json
One issue with this is that the Node Security API paginates by 100 for the advisories. We have to pull down all 384 (as of 9/19/17) advisories to make this actually effective. I’ll update this blog with a solution soon..
Finally, we’ll run nsp in offline mode. We need to pass in a couple options. You’ll need to have your npm-shrinkwrap.json in the same directory you’re running this from. You’ll pass in the location to the advisories.json as well.
$ nsp check --offline --advisoriesPath=/path/to/advisories.json -o summary
(+) No known vulnerabilities found
And we’re good!