Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
NPM-AUDIT(1)							  NPM-AUDIT(1)

       npm-audit - Run a security audit

	 npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
	 npm audit fix [--force|--package-lock-only|--dry-run]

	 common	options: [--production]	[--only=(dev|prod)]

       Scan  your  project  for	 vulnerabilities and automatically install any
       compatible updates to vulnerable	dependencies:

	 $ npm audit fix

       Run audit fix without modifying node_modules, but  still	 updating  the

	 $ npm audit fix --package-lock-only

       Skip updating devDependencies:

	 $ npm audit fix --only=prod

       Have  audit  fix	install	semver-major updates to	toplevel dependencies,
       not just	semver-compatible ones:

	 $ npm audit fix --force

       Do a dry	run to get an idea of what audit fix will do, and also	output
       install information in JSON format:

	 $ npm audit fix --dry-run --json

       Scan  your project for vulnerabilities and just show the	details, with-
       out fixing anything:

	 $ npm audit

       Get the detailed	audit report in	JSON format:

	 $ npm audit --json

       Get the detailed	audit report in	plain text result,  separated  by  tab
       characters, allowing for	future reuse in	scripting or command line post
       processing, like	for example, selecting some of the columns printed:

	 $ npm audit --parseable

       To parse	columns, you can use for example awk, and just print  some  of

	 $ npm audit --parseable | awk -F $'\t'	'{print	$1,$4}'

       Fail  an	audit only if the results include a vulnerability with a level
       of moderate or higher:

	 $ npm audit --audit-level=moderate

       The audit command submits a description of the dependencies  configured
       in your project to your default registry	and asks for a report of known
       vulnerabilities.	The report returned includes instructions  on  how  to
       act on this information.	The command will exit with a 0 exit code if no
       vulnerabilities were found.

       You can also have npm automatically fix the vulnerabilities by  running
       npm audit fix. Note that	some vulnerabilities cannot be fixed automati-
       cally and will require manual intervention or review.  Also  note  that
       since npm audit fix runs	a full-fledged npm install under the hood, all
       configs that apply to the installer will	also apply to npm  install  --
       so things like npm audit	fix --package-lock-only	will work as expected.

       By  default,  the  audit	 command will exit with	a non-zero code	if any
       vulnerability is	found. It may be useful	in CI environments to  include
       the  --audit-level parameter to specify the minimum vulnerability level
       that will cause the command to fail. This option	does  not  filter  the
       report output, it simply	changes	the command's failure threshold.

       o npm_version

       o node_version

       o platform

       o node_env

       o A scrubbed version of your package-lock.json or npm-shrinkwrap.json

       In  order  to  ensure that potentially sensitive	information is not in-
       cluded in the audit data	bundle,	some dependencies may have their names
       (and  sometimes	versions)  replaced with opaque	non-reversible identi-
       fiers.  It is done for the following dependency types:

       o Any module referencing	a scope	that is	configured for	a  non-default
	 registry  has its name	scrubbed.  (That is, a scope you did a npm lo-
	 gin --scope=@ourscope for.)

       o All git dependencies have their names and specifiers scrubbed.

       o All remote tarball  dependencies  have	 their	names  and  specifiers

       o All  local  directory	and  tarball dependencies have their names and
	 specifiers scrubbed.

       The non-reversible identifiers are a sha256 of a	session-specific  UUID
       and  the	 value	being replaced,	ensuring a consistent value within the
       payload that is different between runs.

       The npm audit command will exit with a 0	exit code if  no  vulnerabili-
       ties were found.

       If  vulnerabilities  were  found	 the  exit code	will depend on the au-
       dit-level configuration setting.

       o npm help install

       o npm help 5 package-locks

       o npm help 7 config

				 October 2019			  NPM-AUDIT(1)


Want to link to this manual page? Use this URL:

home | help