A security audit is a process that assesses package dependencies for security vulnerabilities. Security audits help you protect those who use your packages by helping you find and fix known vulnerabilities in dependencies that could cause data loss, service outages, unauthorized access to sensitive information, or other issues.
The npm audit command submits a description of the dependencies configured in your project's package(s) to your project's built-in NPM registry and asks for a report of known vulnerabilities. If any vulnerabilities are found, the impact and appropriate remediation are calculated. The audit report includes the affected package name, vulnerability severity and description, path, and other information, and, if available, commands to apply patches to resolve vulnerabilities.
If updates for identified security vulnerabilities are available, you can either:
- Run
npm audit fixto apply remediations to the package tree automatically. - Run the recommended commands individually to manually install updates to vulnerable dependencies.
If there are no patches available for the identified vulnerabilities, the audit report will provide information about the vulnerability to help you investigate further.
If no security vulnerabilities were found, this means that packages with known vulnerabilities were not found in your package dependency tree. However, since the advisory database can be updated at any time, you should regularly run npm audit manually (see Run npm audit Manually), or add a build step with npm audit to your continuous integration process.
It's also worthwhile to note that by default npm audit automatically runs whenever you install a package with npm install but, if you prefer, you can turn off npm audit on package installation:
- To turn off
npm auditwhen installing a single package, use the--no-auditflag:npm install <package-name> --no-audit - To turn off
npm auditwhen installing all packages, set theauditsetting tofalsein your user and global npmrc config files:npm set audit false
Run npm audit Manually
Here's how to manually run npm audit:
- On the command line, type
cd path/to/your-package-nameand navigate to your package directory, then press Enter. - Make sure that your package contains
package.jsonandpackage-lock.jsonfiles. - Type
npm auditand press Enter. - Review the audit report and run the recommended commands or investigate further, if needed.
Understand npm audit Exit Codes
The npm audit command exits with a 0 exit code when no vulnerabilities are found or a non-zero code when any vulnerability is found. The npm audit fix command exit with a 0 exit code if no vulnerabilities are found or if the remediation is able to successfully fix all vulnerabilities. If vulnerabilities are found, the exit code depends on the audit-level configuration setting. In CI environments, you may want to include the --audit-level argument to specify the minimum vulnerability level that will cause the command to fail. This option doesn't filter the report output, it simply changes the command's failure threshold.
Examples
Scan your project for vulnerabilities and just show the details, without fixing anything:
$ npm auditDo a dry run to get an idea of what audit fix will do, and also output install information in JSON format:
$ npm audit fix --dry-run --jsonThe dry-run option indicates that you don't want NPM to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, such as install, update, uninstall, pack, and publish. The json option indicates whether or not to output JSON data, rather than the normal output.
Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies:
$ npm audit fixFail an audit only if the results include a vulnerability with a level of moderate or higher:
$ npm audit --audit-level=moderateThe audit-level option indicates the minimum level of vulnerability ("info", "low", "moderate", "high", "critical", or "none") for npm audit to exit with a non-zero exit code.
