A library to help you only exclude the security vulnerabilities you really mean to.
nsp is a very useful library that checks your project's dependencies against a database of known security vulnerabilities, so that you don't introduce your project to unnecessary risk.
nsp will warn you about an issue with one of your dependencies, but upon investigation you find that it does not affect your project. For example, you depend on the library
fantastic-features, which uses a vulnerable version of the library
great-lib. You take a look at the
fantastic-features source code, and find that
great-lib is only being used in the code for generating the
fantastic-features documentation website.
nsp let's you specify an array of
exceptions in your
You've now said you don't care if your project uses a vulnerable version of
nsp will stop reporting the issue. But what if someone adds
great-lib to your project in a month's time? Or includes
another-lib which also uses the vulnerable version of
nsp won't warn you about the exception and the security hole will get built into your app without you noticing.
nsp-except lets you specify the path to the advisory you wish to ignore, so you only ignore the vulnerability if it originates from
$ npm install -g nsp-except
It's probably not a good idea to manage your exceptions in two different ways at the same time, so you'll want to remove the
exceptions array from your
If you've discovered an advisory you'd like to ignore, run:
$ nsp-except add
This will create a
.nsp-exceptions.json file at the root of your project with your exceptions. Please note that running
nsp-except add will add all your current advisories to the file (it overwrites the file every time), so make sure that you really want to ignore each of your current advisories.
.nsp-exceptions.json file will look something like this:
As you can see, you've only added an exception for the exact path to the advisory.
$ nsp-except check
nsp-except check will check your project against the
nsp advisory database in the same way that
nsp check does. The only difference is that it will take the exceptions in your
.nsp-exceptions.json file into account.
- Make sure you run the command from the root of your project, so it can find your