Replacement for Node Security Platform

[getaaron]

https://nodesecurity.io/services:

The Node Security Platform has been acquired by npm, Inc.

On April 10, 2018, the Node Security Platform joined npm, Inc., which operates the npm JavaScript package registry.

Learn more here.

The service remains operational for current accountholders.

This repo should recommend a replacement for new projects.

[nelsonic]

@getaaron do you have a suggestion?
It's unclear from the statement if NPM will include the service in their offering ... 🤔

[Berkmann18]

According to their newsletter and Twitter feed, NSP's service is now integrated into NPM and thus audits could be done by using npm audit and vulnerabilities are shown for vulnerable packages being installed.
Not sure if that's what Github uses too for vulnerability checks.

As for the badge (which brought me here), I have no idea what will replace the defunct NSP badge.

[Y-LyN-10]

Is snyk an appropriate alternative?

[nelsonic]

@Y-LyN-10 good question/suggestion. 🤔
as much as it pains me that Node Security Platform has been "rolled into NPM"
(meaning there is no longer an NSP Badge) it's a reality we all have to live with.

I really like what @guypod is doing with Snyk.
They have assembled a great team of people to build the product;
@remy is easily one of the best JS devs in the world! He is a "Mida"! 😮 ⭐️
Snyk is a well-documented/maintained library https://github.com/snyk/snyk

As a side note, Guy's Podcast, "The Secure Developer" is a "must" for all devs!
subscribe if you aren't already: https://www.heavybit.com/library/podcasts/the-secure-developer 🥇

[nelsonic]

https://twitter.com/snyksec/status/1067283633805959168

[nelsonic]

1. Visit: https://snyk.io

2. Click the "Signup with GitHub" button/link:

3. Click the button to "Athorise Snyk":

4. Click to "Connect with GitHub":

5. Again click "Connect with GitHub":

6. By default Snyk requests access to both public and private repos,
   Select whatever is relevant to you and continue:

7. I selected only public repositories as I always follow the "principal of least privilege":

8. Confirm the access that Snyk is requesting:

9. Connect to Snyk to a GitHub Repository:

10. Select the desired repository: (in this case hapi-auth-jwt2 ...)

11. Add selected repo:

12. Wait for the repo to be imported by Snyk:

13. Once the repo has finished importing, refresh the page to see your dashboard:

14. From the Snyk dashboard. Click on the project you want to view:

15. Copy the Snyk "Badge" for inclusion in your project:

Badge Format:

[![Known Vulnerabilities](https://snyk.io/test/github/{username}/{repo}/badge.svg)](https://snyk.io/test/github/{username}/{repo})

Official Badge:

[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)

Flat Square:

[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)

Going to PR this change now.