pnpm-audit

pnpm audit [options]

pnpm audit scans project dependencies for known security vulnerabilities using the npm advisory database. It reports affected packages, severity levels, and available patched versions.The --fix option attempts to automatically update vulnerable packages to safe versions. Use --prod or --dev to limit scanning to production or development dependencies respectively. The --audit-level option sets the minimum severity threshold for reporting (low, moderate, high, critical).

--fix

Add overrides to package.json that pin vulnerable transitive dependencies to safe versions.

Output the audit report as JSON.

Audit only production dependencies (skip devDependencies).

Audit only development dependencies.

Skip optional dependencies during the audit.

Minimum severity to report: low, moderate, high, or critical (default: low).

Suppress reporting for a specific advisory by its identifier.

Skip advisories that have no available patch.

Exit with code 0 when the registry returns a non-200 status, only failing if real vulnerabilities are found.

Requires network access. Uses npm advisory database.

pnpm audit was added for security vulnerability scanning in dependencies.

pnpm(1), npm-audit(1)