1NPM-AUDIT(1) NPM-AUDIT(1)
2
6 npm-audit - Run a security audit
7
9 npm audit [--json|--parseable]
10 npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
11
13 Scan your project for vulnerabilities and automatically install any
14 compatible updates to vulnerable dependencies:
15 $ npm audit fix
17 Run audit fix without modifying node_modules, but still updating the
19 pkglock:
20 $ npm audit fix --package-lock-only
22 Skip updating devDependencies:
24 $ npm audit fix --only=prod
26 Have audit fix install semver-major updates to toplevel dependencies,
28 not just semver-compatible ones:
29 $ npm audit fix --force
31 Do a dry run to get an idea of what audit fix will do, and also output
33 install information in JSON format:
34 $ npm audit fix --dry-run --json
36 Scan your project for vulnerabilities and just show the details, with‐
38 out fixing anything:
39 $ npm audit
41 Get the detailed audit report in JSON format:
43 $ npm audit --json
45 Get the detailed audit report in plain text result, separated by tab
47 characters, allowing for future reuse in scripting or command line post
48 processing, like for example, selecting some of the columns printed:
49 $ npm audit --parseable
51 To parse columns, you can use for example awk, and just print some of
53 them:
54 $ npm audit --parseable | awk -F $'\t' '{print $1,$4}'
56
58 The audit command submits a description of the dependencies configured
59 in your project to your default registry and asks for a report of known
60 vulnerabilities. The report returned includes instructions on how to
61 act on this information. The command will exit with a 0 exit code if no
62 vulnerabilities were found.
63 You can also have npm automatically fix the vulnerabilities by running
65 npm audit fix. Note that some vulnerabilities cannot be fixed automati‐
66 cally and will require manual intervention or review. Also note that
67 since npm audit fix runs a full-fledged npm install under the hood, all
68 configs that apply to the installer will also apply to npm install --
69 so things like npm audit fix --package-lock-only will work as expected.
70
72 · npm_version
73 · node_version
75 · platform
77 · node_env
79 · A scrubbed version of your package-lock.json or npm-shrinkwrap.json
81 SCRUBBING
84 In order to ensure that potentially sensitive information is not
85 included in the audit data bundle, some dependencies may have their
86 names (and sometimes versions) replaced with opaque non-reversible
87 identifiers. It is done for the following dependency types:
88 · Any module referencing a scope that is configured for a non-default
90 registry has its name scrubbed. (That is, a scope you did a npm
91 login --scope=@ourscope for.)
92 · All git dependencies have their names and specifiers scrubbed.
94 · All remote tarball dependencies have their names and specifiers
96 scrubbed.
97 · All local directory and tarball dependencies have their names and
99 specifiers scrubbed.
100 The non-reversible identifiers are a sha256 of a session-specific UUID
103 and the value being replaced, ensuring a consistent value within the
104 payload that is different between runs.
105
107 The npm audit command will exit with a 0 exit code if no vulnerabili‐
108 ties were found.
109 If vulnerabilities were found the exit code will depend on the
111 audit-level configuration setting.
112
114 · npm help install
115 · npm help 5 package-locks
117 · npm help 7 config
119 April 2019 NPM-AUDIT(1)