If for some reason you need nightwatch to be in dependencies instead of devDependencies, then running nsp check
will report critical vulnerabilities due to nightwatch's dependencies. If you don't care about vulnerabilities in
nightwatch, then you can use this package.json preprocessor that removes nightwatch from dependencies before
passing it to nsp.
./node_modules/nsp/bin/nsp check --preprocessor nightwatch