1NPM-AUDIT(1)                                                      NPM-AUDIT(1)
2
3
4

NAME

6       npm-audit - Run a security audit
7

SYNOPSIS

9         npm audit [--json|--parseable]
10         npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
11

EXAMPLES

13       Scan  your  project  for  vulnerabilities and automatically install any
14       compatible updates to vulnerable dependencies:
15
16         $ npm audit fix
17
18       Run audit fix without modifying node_modules, but  still  updating  the
19       pkglock:
20
21         $ npm audit fix --package-lock-only
22
23       Skip updating devDependencies:
24
25         $ npm audit fix --only=prod
26
27       Have  audit  fix install semver-major updates to toplevel dependencies,
28       not just semver-compatible ones:
29
30         $ npm audit fix --force
31
32       Do a dry run to get an idea of what audit fix will do, and also  output
33       install information in JSON format:
34
35         $ npm audit fix --dry-run --json
36
37       Scan  your project for vulnerabilities and just show the details, with‐
38       out fixing anything:
39
40         $ npm audit
41
42       Get the detailed audit report in JSON format:
43
44         $ npm audit --json
45
46       Get the detailed audit report in plain text result,  separated  by  tab
47       characters, allowing for future reuse in scripting or command line post
48       processing, like for example, selecting some of the columns printed:
49
50         $ npm audit --parseable
51
52       To parse columns, you can use for example awk, and just print  some  of
53       them:
54
55         $ npm audit --parseable | awk -F $'\t' '{print $1,$4}'
56

DESCRIPTION

58       The  audit command submits a description of the dependencies configured
59       in your project to your default registry and asks for a report of known
60       vulnerabilities.  The  report  returned includes instructions on how to
61       act on this information. The command will exit with a 0 exit code if no
62       vulnerabilities were found.
63
64       You  can also have npm automatically fix the vulnerabilities by running
65       npm audit fix. Note that some vulnerabilities cannot be fixed automati‐
66       cally  and  will  require manual intervention or review. Also note that
67       since npm audit fix runs a full-fledged npm install under the hood, all
68       configs  that  apply to the installer will also apply to npm install --
69       so things like npm audit fix --package-lock-only will work as expected.
70

CONTENT SUBMITTED

72       · npm_version
73
74       · node_version
75
76       · platform
77
78       · node_env
79
80       · A scrubbed version of your package-lock.json or npm-shrinkwrap.json
81
82
83   SCRUBBING
84       In order to  ensure  that  potentially  sensitive  information  is  not
85       included  in  the  audit  data bundle, some dependencies may have their
86       names (and sometimes  versions)  replaced  with  opaque  non-reversible
87       identifiers.  It is done for the following dependency types:
88
89       · Any  module  referencing a scope that is configured for a non-default
90         registry has its name scrubbed.  (That is, a  scope  you  did  a  npm
91         login --scope=@ourscope for.)
92
93       · All git dependencies have their names and specifiers scrubbed.
94
95       · All  remote  tarball  dependencies  have  their  names and specifiers
96         scrubbed.
97
98       · All local directory and tarball dependencies  have  their  names  and
99         specifiers scrubbed.
100
101
102       The  non-reversible identifiers are a sha256 of a session-specific UUID
103       and the value being replaced, ensuring a consistent  value  within  the
104       payload that is different between runs.
105

EXIT CODE

107       The  npm  audit command will exit with a 0 exit code if no vulnerabili‐
108       ties were found.
109
110       If vulnerabilities  were  found  the  exit  code  will  depend  on  the
111       audit-level configuration setting.
112

SEE ALSO

114       · npm help install
115
116       · npm help 5 package-locks
117
118       · npm help 7 config
119
120
121
122
123                                  April 2019                      NPM-AUDIT(1)
Impressum