The nsp package (https://www.npmjs.com/package/nsp) scans a package.json or npm-shrinkwrap.json, looking for known vulnerabilities. The company behind that package keeps a list of such packages, which are queried by the nsp package.
Starting with npm version 6, the nsp package functionality has been folded into npm itself as the npm audit command. It is a command-line tool you run like so:
$ npm install nsp
$ ./node_modules/.bin/nsp check
(+) 3 vulnerabilities found
┌────────────┬───────────────────────────────...