npm-audit

npm audit [options]

npm audit scans project dependencies for known security vulnerabilities by checking them against the npm advisory database. It reports the severity level (low, moderate, high, critical), the vulnerable package, and the dependency path.The npm audit fix subcommand automatically installs compatible updates to resolve vulnerabilities. Using --force allows major version updates that may introduce breaking changes. The command exits with a non-zero code if vulnerabilities are found, making it suitable for CI/CD pipelines.

fix

Automatically install compatible updates to fix vulnerabilities.

Force updates to latest version, even with breaking changes.

Output results in JSON format.

Omit dependency type from audit (dev, optional, or peer). Replaces deprecated --production flag.

Minimum severity to trigger non-zero exit: low, moderate, high, critical.

Preview what audit fix would change without applying.

Only modify package-lock.json, skip node_modules updates.

Display vulnerabilities in parseable output format.

Display help information.

Requires network access to check the npm advisory database. The --force flag may install updates with breaking changes; always review with --dry-run first. The --production flag is deprecated in npm 8+; use --omit=dev instead.

npm audit was introduced in npm 6 (2018) to provide automated security vulnerability scanning. It replaced the third-party `nsp` (Node Security Platform) tool that npm acquired.

npm(1), npm-fund(1), snyk(1)