npm-audit(1)

1NPM-AUDIT(1)                                                      NPM-AUDIT(1)
2
3
4

NAME

6       npm-audit - Run a security audit
7
8   Synopsis
9         npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
10         npm audit fix [--force|--package-lock-only|--dry-run]
11
12         common options: [--production] [--only=(dev|prod)]
13
14   Examples
15       Scan  your  project  for  vulnerabilities and automatically install any
16       compatible updates to vulnerable dependencies:
17
18         $ npm audit fix
19
20       Run audit fix without modifying node_modules, but  still  updating  the
21       pkglock:
22
23         $ npm audit fix --package-lock-only
24
25       Skip updating devDependencies:
26
27         $ npm audit fix --only=prod
28
29       Have  audit  fix install semver-major updates to toplevel dependencies,
30       not just semver-compatible ones:
31
32         $ npm audit fix --force
33
34       Do a dry run to get an idea of what audit fix will do, and also  output
35       install information in JSON format:
36
37         $ npm audit fix --dry-run --json
38
39       Scan  your project for vulnerabilities and just show the details, with‐
40       out fixing anything:
41
42         $ npm audit
43
44       Get the detailed audit report in JSON format:
45
46         $ npm audit --json
47
48       Get the detailed audit report in plain text result,  separated  by  tab
49       characters, allowing for future reuse in scripting or command line post
50       processing, like for example, selecting some of the columns printed:
51
52         $ npm audit --parseable
53
54       To parse columns, you can use for example awk, and just print  some  of
55       them:
56
57         $ npm audit --parseable | awk -F $'\t' '{print $1,$4}'
58
59       Fail  an audit only if the results include a vulnerability with a level
60       of moderate or higher:
61
62         $ npm audit --audit-level=moderate
63
64   Description
65       The audit command submits a description of the dependencies  configured
66       in your project to your default registry and asks for a report of known
67       vulnerabilities. The report returned includes instructions  on  how  to
68       act on this information. The command will exit with a 0 exit code if no
69       vulnerabilities were found.
70
71       You can also have npm automatically fix the vulnerabilities by  running
72       npm audit fix. Note that some vulnerabilities cannot be fixed automati‐
73       cally and will require manual intervention or review.  Also  note  that
74       since npm audit fix runs a full-fledged npm install under the hood, all
75       configs that apply to the installer will also apply to npm  install  --
76       so things like npm audit fix --package-lock-only will work as expected.
77
78       By  default,  the  audit  command will exit with a non-zero code if any
79       vulnerability is found. It may be useful in CI environments to  include
80       the  --audit-level parameter to specify the minimum vulnerability level
81       that will cause the command to fail. This option does  not  filter  the
82       report output, it simply changes the command's failure threshold.
83
84   Content Submitted
85       · npm_version
86
87       · node_version
88
89       · platform
90
91       · node_env
92
93       · A scrubbed version of your package-lock.json or npm-shrinkwrap.json
94
95
96   Scrubbing
97       In  order  to  ensure  that  potentially  sensitive  information is not
98       included in the audit data bundle, some  dependencies  may  have  their
99       names  (and  sometimes  versions)  replaced  with opaque non-reversible
100       identifiers.  It is done for the following dependency types:
101
102       · Any module referencing a scope that is configured for  a  non-default
103         registry  has  its  name  scrubbed.   (That is, a scope you did a npm
104         login --scope=@ourscope for.)
105
106       · All git dependencies have their names and specifiers scrubbed.
107
108       · All remote tarball  dependencies  have  their  names  and  specifiers
109         scrubbed.
110
111       · All  local  directory  and  tarball dependencies have their names and
112         specifiers scrubbed.
113
114
115       The non-reversible identifiers are a sha256 of a session-specific  UUID
116       and  the  value  being replaced, ensuring a consistent value within the
117       payload that is different between runs.
118
119   Exit Code
120       The npm audit command will exit with a 0 exit code if  no  vulnerabili‐
121       ties were found.
122
123       If  vulnerabilities  were  found  the  exit  code  will  depend  on the
124       audit-level configuration setting.
125
126   See Also
127       · npm help install
128
129       · npm help package-locks
130
131       · npm help config
132
133
134
135
136                                 February 2021                    NPM-AUDIT(1)