[bug 1478028] replace nsp with npm audit

[g-k]

nsp is deprecated and shutting down: https://blog.npmjs.org/post/175511531085/the-node-security-platform-service-is-shutting

Should allow us to close #4324 and with npm audit fix make updating transitive dependencies for #4617 too.

e.g. https://github.com/mozilla-services/ip-reputation-js-client/blob/78d76c26f412ffddb920a4a8250a1141c24861d7/.travis.yml#L13-L15

[jaredhirsch]

Unfortunately, npm audit does not cleanly replace nsp, as there's no way for npm audit to conditionally ignore specific vulnerabilities in transitive dependencies; see npm/npm#20565.

It looks like FxA is currently hacking around this limitation via "npm audit || true" in their CI builds.

We've discussed this a bit, and current consensus would be to warn on npm audit errors in the dev build, but fail on such errors in the stage build, to prevent deploying insecure code to production.

[g-k]

That's frustrating. I was hoping npm audit fix would work for everything screenshots pulls in.

If we have github (and sentry if you're using it) vulnerability alerts enabled, swapping npm audit || true would be fine.

Also if you want automatic PRs, @hwine can enable dependabot https://dependabot.com/blog/automatically-respond-to-security-advisories for JS. It looks like it's pulling the github NVD and from the node security working group https://github.com/nodejs/security-wg

[ianb]

I've created #4803 as a followup about npm audit || true. Otherwise this was fixed in #4617 (in a5935e1)

[g-k]

Thanks! Let me know if you write the script in #4803, since we'll probably want to reuse it for other projects too.