According to https://blog.npmjs.org/post/175511531085/the-node-security-platform-service-is-shutting, NSP will be shutting down September 30, 2018.

What we know:

• Node Security Platform will be shutting down on September 30
• There are no publicly available alternatives to NSP Advisories
• Dependency-Track mirrors these advisories (like it mirrors the NVD and VulnDB)
• NPM AUDIT, the replacement for NSP CHECK, is available in NPM v6.0 and higher
• The current stable Node.js distribution still ships with NPM v5.6
• NPM AUDIT (as of v6.1 - current release) still relies heavily on Node Security Platform

After investigating the NPM AUDIT API, it is safe to assume that:

• Dependency-Track (and Dependency-Check) can safely migrate from using the NSP API to the NPM AUDIT API.
• The NPM AUDIT API provides nearly identical information about the advisories discovered from the package submitted.
• Vulnerability identification should continue to work as before

Potentially impacted:

• Without a replacement for NSP's publicly available advisories in the next three months, advisory mirroring functionality will cease to function.
• It may be possible to mirror in a reactionary way; by waiting until a component has an advisory during a scan and capturing the advisory info and using that as the source for the mirrored content. This is less than ideal but may be the only path forward.