Yarn.lock preprocessor for NSP
Usage:
npm install -g nsp nsp-preprocessor-yarnnsp check --preprocessor yarnOr, automating the nsp check upon testing:
{
"name": "dummy",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"posttest": "nsp check --preprocessor yarn"
},
"dependencies": {
"nsp": "git://github.com/nodesecurity/nsp.git#41f967f",
"nsp-preprocessor-yarn": "nsp-preprocessor-yarn"
}
}
If it logs Preprocessing the lock file 'yarn.lock'. this means you're covered.
Why
TLDR: if you use Yarn and NSP you need a preprocessor like nsp-preprocessor-yarn, to ensure all your dependencies are checked.
NSP works by uploading (parts of) your package.json and npm-shrinkwrap/package-lock to it's vulnerabillity-checking servers. If you don't have a npm-shrinkwrap/package-lock (hello there, Yarn users!) this means NSP only uploads a package.json. Therefore NSP reconstructs your dependency tree on their servers, in the NPM fashion: undeterministically.
There will eventually be inconsistencies between what Yarn installed and what NSP thinks you have installed. As the yarn.lock precisely states what is installed, the nsp-preprocessor-yarn transforms that into a format NSP understands.
Silent
This preprocessor logs a short message, to indicate the processor has run, to let you know you're safe.
If you're parsing the output of the nsp run, and this message is annoying, you can disable the message by setting --preprocess--silently.
Workspaces
This preprocessor supports Yarn workspaces too: specify the --lockfile flag:
touch workspace/yarn.lockcd workspace/my-package-1nsp check --preprocessor yarn --lockfile ../yarn.lock