diff --git a/Makefile b/Makefile
index 6c0d8da33..8c6a319bb 100644
--- a/Makefile
+++ b/Makefile
@@ -93,7 +93,7 @@ test-travis-pg:
 	@psql -c 'CREATE DATABASE cnpmjs_test;' -U postgres
 	@DB_PORT=5432 DB_USER=postgres $(MAKE) test-travis DB=postgres
 
-test-travis-all: test-travis-sqlite test-travis-mysql test-travis-pg
+test-travis-all: jshint test-travis-sqlite test-travis-mysql test-travis-pg
 
 dev:
 	@NODE_ENV=development node node_modules/.bin/node-dev dispatch.js
diff --git a/README.md b/README.md
index 6be045f86..e5df93297 100644
--- a/README.md
+++ b/README.md
@@ -3,18 +3,21 @@ cnpmjs.org
 
 [![NPM version][npm-image]][npm-url]
 [![build status][travis-image]][travis-url]
-[![Test coverage][cov-image]][cov-url]
+[![Test coverage][codecov-image]][codecov-url]
 [![David deps][david-image]][david-url]
+[![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
 
 [npm-image]: http://cnpmjs.org/badge/v/cnpmjs.org.svg?style=flat-square
 [npm-url]: http://cnpmjs.org/package/cnpmjs.org
 [travis-image]: https://img.shields.io/travis/cnpm/cnpmjs.org.svg?style=flat-square
 [travis-url]: https://travis-ci.org/cnpm/cnpmjs.org
-[cov-image]: http://codecov.io/github/cnpm/cnpmjs.org/coverage.svg?branch=master
-[cov-url]: http://codecov.io/github/cnpm/cnpmjs.org?branch=master
+[codecov-image]: https://codecov.io/gh/cnpm/cnpmjs.org/branch/master/graph/badge.svg
+[codecov-url]: https://codecov.io/gh/cnpm/cnpmjs.org
 [david-image]: https://img.shields.io/david/cnpm/cnpmjs.org.svg?style=flat-square
 [david-url]: https://david-dm.org/cnpm/cnpmjs.org
+[snyk-image]: https://snyk.io/test/npm/cnpmjs.org/badge.svg?style=flat-square
+[snyk-url]: https://snyk.io/test/npm/cnpmjs.org
 [download-image]: https://img.shields.io/npm/dm/cnpmjs.org.svg?style=flat-square
 [download-url]: https://npmjs.org/package/cnpmjs.org
 
diff --git a/controllers/web/package/show.js b/controllers/web/package/show.js
index 385aad870..85bc6ee7f 100644
--- a/controllers/web/package/show.js
+++ b/controllers/web/package/show.js
@@ -1,18 +1,5 @@
-/**!
- * Copyright(c) cnpm and other contributors.
- * MIT Licensed
- *
- * Authors:
- *  dead_horse <dead_horse@qq.com> (http://deadhorse.me)
- *  fengmk2 <fengmk2@gmail.com> (http://fengmk2.com)
- */
-
 'use strict';
 
-/**
- * Module dependencies.
- */
-
 var debug = require('debug')('cnpmjs.org:controllers:web:package:show');
 var bytes = require('bytes');
 var giturl = require('giturl');
@@ -183,6 +170,17 @@ module.exports = function* show(next) {
     }
   }
 
+  if (pkg._publish_on_cnpm) {
+    pkg.isPrivate = true;
+  } else {
+    pkg.isPrivate = false;
+    // add security check badge
+    pkg.snyk = {
+      badge: `https://snyk.io/test/npm/${pkg.name}/badge.svg?style=flat-square`,
+      url: `https://snyk.io/test/npm/${pkg.name}`,
+    };
+  }
+
   yield this.render('package', {
     title: 'Package - ' + pkg.name,
     package: pkg,
diff --git a/package.json b/package.json
index 7003fc94d..192094f3b 100644
--- a/package.json
+++ b/package.json
@@ -4,6 +4,7 @@
   "description": "Private npm registry and web for Enterprise, base on MySQL and Simple Store Service",
   "main": "index.js",
   "scripts": {
+    "dev": "DEBUG=cnpm* node dispatch.js",
     "test": "make jshint && make test",
     "start": "./bin/nodejsctl start && cp History.md docs/web/history.md",
     "status": "./bin/nodejsctl status",
@@ -67,12 +68,13 @@
     "mocha": "*",
     "node-dev": "*",
     "pedding": "*",
-    "pg": "~5.1.0",
-    "pg-hstore": "~2.3.2",
-    "should": "~8.4.0",
+    "pg": "5",
+    "pg-hstore": "2",
+    "should": "8",
     "should-http": "*",
     "sqlite3": "*",
-    "supertest": "*",
+    "supertest": "1",
+    "supertest-as-promised": "3",
     "thunk-mocha": "1"
   },
   "homepage": "https://github.com/cnpm/cnpmjs.org",
diff --git a/public/css/main.css b/public/css/main.css
index a659f42fe..0b907900a 100644
--- a/public/css/main.css
+++ b/public/css/main.css
@@ -201,6 +201,12 @@ pre code {
   font-size: 28px;
   line-height: 48px;
 }
+
+.pack-ver a.badge-link {
+  font-size: inherit;
+  border-bottom: 0px;
+}
+
 .pack-lastup {
   font-size: 14px;
   display: inline-block;
diff --git a/sync/changes_stream_syncer.js b/sync/changes_stream_syncer.js
index 67a2e4362..191b78716 100644
--- a/sync/changes_stream_syncer.js
+++ b/sync/changes_stream_syncer.js
@@ -3,9 +3,8 @@
 const ChangesStream = require('changes-stream');
 const path = require('path');
 const fs = require('mz/fs');
-const os = require('os');
 const urllib = require('urllib');
-const streamAwait = require('await-event')
+const streamAwait = require('await-event');
 const logger = require('../common/logger');
 const config = require('../config');
 
@@ -35,7 +34,7 @@ function syncPackage(change) {
     method: 'PUT',
     dataType: 'json',
     timeout: 10000,
-  }, (err, data, res) => {
+  }, (err, data) => {
     if (err) {
       logger.syncInfo('%s:%s PUT %s error: %s, retry after 5s',
         change.seq, change.id, url, err);
diff --git a/test/controllers/web/package/show.test.js b/test/controllers/web/package/show.test.js
index c3ab21685..6637b1d78 100644
--- a/test/controllers/web/package/show.test.js
+++ b/test/controllers/web/package/show.test.js
@@ -1,28 +1,14 @@
-/*!
- * cnpmjs.org - test/controllers/web/package/show.test.js
- *
- * Copyright(c) cnpmjs.org and other contributors.
- * MIT Licensed
- *
- * Authors:
- *  dead_horse <dead_horse@qq.com> (http://deadhorse.me)
- */
-
 'use strict';
 
-/**
- * Module dependencies.
- */
-
 var should = require('should');
-var request = require('supertest');
+var request = require('supertest-as-promised');
 var mm = require('mm');
 var config = require('../../../../config');
 var app = require('../../../../servers/web');
 var registry = require('../../../../servers/registry');
 var utils = require('../../../utils');
 
-describe('controllers/web/package/show.test.js', function () {
+describe('controllers/web/package/show.test.js', () => {
   before(function (done) {
     var pkg = utils.getPackage('@cnpmtest/testmodule-web-show', '0.0.1', utils.admin);
     pkg.versions['0.0.1'].dependencies = {
@@ -113,17 +99,17 @@ describe('controllers/web/package/show.test.js', function () {
     });
   });
 
-  describe('unpublished package', function () {
-    before(function (done) {
-      utils.sync('tfs', done);
+  describe('unpublished package', () => {
+    before(done => {
+      utils.sync('mk2testmodule', done);
     });
 
-    it('should display unpublished info', function (done) {
+    it('should display unpublished info', () => {
       mm(config, 'syncModel', 'all');
-      request(app)
-      .get('/package/moduletest1')
-      .expect(200)
-      .expect(/This package has been unpublished\./, done);
+      return request(app)
+        .get('/package/mk2testmodule')
+        .expect(200)
+        .expect(/This package has been unpublished\./);
     });
   });
 
@@ -149,20 +135,22 @@ describe('controllers/web/package/show.test.js', function () {
     });
   });
 
-  describe('show npm package', function () {
-    before(function (done) {
+  describe('show npm package', () => {
+    before(done => {
       mm(config, 'syncModel', 'exists');
       utils.sync('pedding', done);
     });
 
-    it('should show pedding package info and contributors', function (done) {
+    it('should show pedding package info and contributors', () => {
       mm(config, 'syncModel', 'exists');
-      request(app)
-      .get('/package/pedding')
-      .expect(200)
-      // https://github.com/cnpm/cnpmjs.org/issues/497
-      .expect(/by <a href="\/\~fengmk2">fengmk2<\/a>/)
-      .expect(/pedding/, done);
+      return request(app)
+        .get('/package/pedding')
+        .expect(200)
+        // https://github.com/cnpm/cnpmjs.org/issues/497
+        .expect(/by <a href="\/\~fengmk2">fengmk2<\/a>/)
+        // snyk link
+        .expect(/<a class="badge-link" href="https:\/\/snyk\.io\/test\/npm\/pedding" target="_blank"><img title="Known Vulnerabilities" src="https:\/\/snyk\.io\/test\/npm\/pedding\/badge\.svg\?style=flat-square"><\/a>/)
+        .expect(/pedding/);
     });
   });
 });
diff --git a/view/web/package.html b/view/web/package.html
index 54804bc5e..532d21edf 100644
--- a/view/web/package.html
+++ b/view/web/package.html
@@ -15,13 +15,16 @@
       <% } %>
       <div class="pack-ver">
         <img title="<%= package.version %>" src="/badge/v/<%= package.name %>.svg?style=flat-square">
-        <% if (package.engines) {%>
+        <% if (package.engines) { %>
           <% for (var k in package.engines) {
             var engine = package.engines[k];
           %>
             <img title="<%= engine.title %>" src="<%- engine.badgeURL %>">
         <% }
-        }%>
+        } %>
+        <% if (package.snyk) { %>
+        <a class="badge-link" href="<%= package.snyk.url %>" target="_blank"><img title="Known Vulnerabilities" src="<%- package.snyk.badge %>"></a>
+        <% } %>
       </div>
       <div class="pack-repo">
         <% if (package.fromNow) { %>
@@ -52,7 +55,7 @@
 
         <% if (package.license || package.repository || package.bugs.url) {%> &middot; <% } %>
 
-        <% if (!package._publish_on_cnpm) { %>
+        <% if (!package.isPrivate) { %>
         <a href="https://www.npmjs.org/package/<%= package.name %>" target="_blank">Original npm</a>
         <% } %>
 
@@ -64,7 +67,7 @@
       <div class="pack-install">
         <pre class="sh">$ <%- config.npmClientName %> install <%= package.name %> <% if (package.preferGlobal) { %>-g<% } %></pre>
         <div class="pack-sync">
-          <% if (package._publish_on_cnpm) { %>
+          <% if (package.isPrivate) { %>
             Private package
           <% } else { %>
             <a href="/sync/<%= package.name %>" target="_blank">SYNC</a> missed versions from