npm-audit

Scan the project’s dependencies for known vulnerabilities

$ npm audit

$ npm audit fix

$ npm audit fix [[-f|--force]]

$ npm audit fix --package-lock-only

$ npm audit fix --dry-run

$ npm audit --json

$ npm audit --audit-level [info|low|moderate|high|critical]

npm audit
npm audit fix

fix
    Automatically attempts to update dependencies with known vulnerabilities to non-vulnerable versions. This may involve installing newer versions or applying patches. Use with caution!

--json
    Outputs the audit report in JSON format, suitable for parsing by other tools.

--production
    Only check production dependencies (those listed under `dependencies` in `package.json`). Dev dependencies are ignored.

--dev
    Only check development dependencies (those listed under `devDependencies` in `package.json`).

--audit-level
    Specifies the minimum severity level of vulnerabilities to report. Possible values are `low`, `moderate`, `high`, and `critical`. Defaults to `low`.

--force
    Forces `npm audit fix` to ignore breaking changes and attempt to fix vulnerabilities regardless. This may lead to unexpected behavior and should be used with extreme caution.

--package-lock-only
    Operates only on `package-lock.json` (or `npm-shrinkwrap.json`). This is helpful for updating dependencies without modifying `node_modules`.

The `npm audit` command analyzes your project's dependency tree, created from your `package.json` and `package-lock.json` (or `npm-shrinkwrap.json`) files, to identify known security vulnerabilities in your dependencies. It then provides a report detailing these vulnerabilities, their severity levels (e.g., low, moderate, high, critical), and recommended actions to mitigate them. The primary goal is to help developers proactively address security risks within their Node.js projects before they are deployed to production. `npm audit` leverages a database of known vulnerabilities maintained by npm to perform this analysis. It's a crucial step in maintaining a secure software supply chain and ensuring that your applications are not exposed to unnecessary risks. By running `npm audit` regularly, you can quickly identify and address vulnerabilities, reducing the potential for exploits and security breaches. If vulnerabilities are found, `npm audit fix` is used as a next step to attempt an automatic update of vulnerable packages.

Always review any changes proposed by `npm audit fix` before committing them, as updating dependencies can sometimes introduce breaking changes.

`npm audit fix` may not always be able to resolve all vulnerabilities automatically. In some cases, manual intervention is required, such as updating dependencies to major versions that contain breaking changes, or directly addressing the vulnerability in your code or a dependency's code.

0 if no vulnerabilities were found. 1 if vulnerabilities were found and not automatically fixed, or if an error occurred.

`npm audit` honors standard npm configuration settings, such as `registry`, `https-proxy`, and `cafile`. These can be set using the `npm config` command.

You can ignore specific audit advisories using the overrides section of your package.json. This allows you to acknowledge and address vulnerabilities later or in a different way. This is useful for cases when you want to handle a dependency issue manually or it is not being actively maintained by the community. Always document why you have overriden an audit and if it is temporary until the next version of the package is released.

The `npm audit` command was introduced as part of npm version 6. It was created in response to the increasing awareness of security vulnerabilities in the Node.js ecosystem and the need for a standardized and automated way to identify and address them. Its adoption has grown significantly as developers and organizations prioritize security in their software development lifecycle. Before its existence, developers often had to rely on third-party tools or manual code reviews to identify potential vulnerabilities. Now, `npm audit` is an essential step in many CI/CD pipelines.

npm(1), npm-install(1), package.json(5), package-lock.json(5)