Private NPM packages


#1

Hi there,

I’ve enabled sonatype depshield on our github organisation (we have 264 repositories as of writing!). After looking through the repos, we noticed a lot of them have failed because of private NPM packages we are using in our package.json files. Is there any planned support for this?

Thanks
JH


#2

Hi @john,

While DepShield supports private GitHub repositories, its goal is to offer free coverage for open source projects. As such, we currently do not have a plan to support private NPM packages that would not be available to the open source community. Sonatype offers the Nexus Vulnerability Scanner, which provides a free scan of an archive of your javascript application (dependencies and all), and Nexus Lifecycle a commercial solution which offers many of the capabilities you may require managing the open source used by your 200+ projects.