recently-updated | See | Code Analyzer library

TLDR: Is it possible to leverage the vulnerability detection abilities of npm audit as a restful service instead of the current CLI implementation?

npm provides automatic vulnerability scanning on every install request against the Node Security Platform (NSP) vulnerability database and warns you if you try to use unsafe code. Furthermore, npm audit recursively analyzes your dependency trees to identify specifically what’s insecure, recommend a replacement, or fix it automatically with npm audit fix.

This functionality is great and I would like to be able to utilize this vulnerability scanning capability within a web application. So why would I want to do this?

It seems like most companies host an internal JFrog Repository, which constantly needs to updated and maintained just to mirror npmjs. However, a more efficient approach (in my mind) would be to create a simple web application with mitmproxy embedded within it. This web application would then function more like a proxy and would allow one to filter out npm requests based on custom business logic and/or npm audit vulnerability report findings. This would have the benefit of allowing one to customize their risk assessment tolerance as well as leveraging npmjs to distribute the requested libraries. As a consequence, this would drive out the need for companies to host any internal JFrog instances and could potentially lower costs by instead having npmjs deal with the hosting of said libraries.

Listed below is part of the an npm audit report: