The Node Security Platform service is shutting down 9/30

Earlier this year, we announced npm, Inc.’s acquisition of ^Lift Security and the Node Security Platform and promised to provide updates as our teams combined to protect the world’s largest JavaScript developer community. Today, we have some news about how the acquisition affects you.

With vulnerability scanning that was built into your workflow, and by maintaining JavaScript’s definitive listing of known package vulnerabilities, the Node Security Platform has kept thousands of developers safe from insecure code.

Since joining npm, we’ve worked to bring these protections to the larger developer community.

npm now automatically reviews every install request against the NSP vulnerability database and warns you if you try to use unsafe code. Additionally, beginning with npm@6, a new command, npm audit, recursively analyzes your dependency trees to identify specifically what’s insecure, recommend a replacement, or fix it automatically with npm audit fix.

These tools are faster and more directly integrated into the way you write JavaScript. They also form the backbone of powerful new security tools we have in store for the months ahead. Given this, it’s time to phase out the original Node Security Platform.

The Node Security Platform service will stop working on September 28, 2018.

We encourage you to update to npm@6 — just type npm i -g npm@latest — to take advantage of powerful, automatic protection built right into your workflow, along with a host of other enhancements and features. If you have been a subscriber to NSP’s pre-publication advisories, your account will cancel automatically (these advisories are now available to customers of any of npm’s paid services).

We’re proud of the ways we work to keep you safe and excited for what’s still in store. As always, don’t hesitate to reach out with your feedback or questions.