NodeSource evaluates publicly-available packages based on weighted criteria and uses a custom algorithm to compute a “trust score” for each package.
When packages are added or updated they are evaluated against critical, major, and minor criteria, giving your team up-to-date information on the security and reliability of modules.
After creating your NodeSource account:
Install NCM Desktop
Download the NCM Desktop application for your respective development platform (Windows, macOS, or Linux).
Sign In with NodeSource
Sign in to the NCM Desktop application with your NodeSource Account, using direct authentication or GitHub/Google SSO.
Get Back to Work
After authenticating, add your project’s working directories to NCM Desktop to let it scan your packages for security vulnerabilities, compliance and code quality issues.
Gain insight into exactly what packages are in your environment every time you npm install – vulnerability data, license information, code quality metrics, and more.
Quickly surface your vulnerabilities, their severity, compliance and code quality issues to understand exactly what’s in your environment, what was recently introduced and removed.
If there’s a module that has a known vulnerability or non-compliant license that you simply must have, you can whitelist it at an org-wide level.
NCM can now protect you as part of your CICD pipeline. It observes the security and license information and proceeds to interrupt a build if severe security and compliance concerns would render you vulnerable in production.
In organizations, you can add multiple team members, depending on what plan you’re using. Team members have different levels of access, including organization administrators, and team members.