The nodesecurity project offers the nsp module, which allows you to audit a package.json and find security vulnerabilities.

I'd love to see a semantic-release verifyConditions plugin (just like condition-travis) that aborts any release where there are security vulnerabilities in the dependencies, but I might not immediately have the time to do it myself.

If you want to give this a shot let me know in this issue and I'm happy to help wherever I can. You can reach me in the semantic-release gitter room, or on Twitter.

Hi, I'm interested in giving this a shot...

Hey @accraze,

sorry this slipped through my notifications. Do you need any guidance? I'm happy to help you to get this going :)

Best,
Stephan

no worries @boennemann! can you make a repo for it?

Here you go: https://github.com/semantic-release/condition-nsp

Thank you!

As mentioned in several comments in #68 running nsp is more appropriate in the test phase than in the release phase. If a dependency update is creating a security risk, the test should fails and semantic-release release shouldn't even be called. In addition the alert can be reported directly in the PR (as the build would fail due to the failed tests), before it get merged.

As anyone any objection regarding closing this issue?

Closing per previous comment. Please re-open if the previous comment is no accurate.