pnpm-audit

Identify vulnerabilities in the project

$ pnpm audit

$ pnpm audit fix

$ pnpm audit --json > [path/to/audit-report.json]

$ pnpm audit [[-D|--dev]]

$ pnpm audit [[-P|--prod]]

$ pnpm audit --no-optional

$ pnpm audit --ignore-registry-errors

$ pnpm audit --audit-level [severity]

pnpm audit [OPTIONS]

--fix
    Attempts to automatically resolve identified vulnerabilities by upgrading vulnerable dependencies to the earliest non-vulnerable version. This modifies your pnpm-lock.yaml and package.json.

--json
    Outputs the audit report in machine-readable JSON format, suitable for programmatic parsing and integration with CI/CD pipelines.

--prod, --production
    Audits only production dependencies. This excludes development dependencies listed under devDependencies in package.json.

--dev, --development
    Audits only development dependencies. This excludes production dependencies.

--audit-level <level>
    Specifies the minimum vulnerability level to report. Valid levels are 'info', 'low', 'moderate', 'high', and 'critical'. Only vulnerabilities at or above the specified level will be displayed.

--recursive, -r
    Runs the audit command in every package found in subdirectories or within a pnpm workspace, providing a consolidated report.

The pnpm-audit command scans your project's dependencies for known security vulnerabilities by comparing them against a comprehensive vulnerability database, typically maintained by npm, Inc. It reads the pnpm-lock.yaml file or package.json to identify installed packages and their versions.

The primary purpose of pnpm-audit is to help developers proactively identify and mitigate security risks within their software supply chain. When executed, it provides a detailed report outlining identified vulnerabilities, their severity (e.g., low, moderate, high, critical), affected packages, and recommended remediation steps, such as upgrading to a non-vulnerable version. This command is an essential tool for maintaining the security integrity of Node.js projects managed with pnpm, ensuring that known security flaws in third-party libraries are addressed before deployment.

pnpm-audit relies on external vulnerability databases, which may occasionally contain false positives or lag behind the latest discoveries. The --fix option, while convenient, might introduce breaking changes if the suggested upgrades involve major version bumps or significant API changes. It is always recommended to review the proposed changes and run tests after using --fix. An active internet connection is typically required to fetch the latest vulnerability data.

The pnpm-audit command exits with a non-zero status code (typically 1) if any vulnerabilities are found, making it suitable for use in CI/CD pipelines to enforce security checks. It exits with 0 if no vulnerabilities are detected or if the command executes successfully without issues.

Vulnerabilities are categorized by severity: info (informational), low (minor impact), moderate (some impact), high (significant impact), and critical (severe impact, often leading to remote code execution). These levels help prioritize remediation efforts.

• To perform a basic audit: pnpm audit
• To audit and attempt to fix vulnerabilities: pnpm audit --fix
• To audit only critical vulnerabilities: pnpm audit --audit-level critical
• To get JSON output: pnpm audit --json

The pnpm-audit command was introduced as part of pnpm's ongoing efforts to provide robust security features, mirroring capabilities found in other popular Node.js package managers like npm and Yarn. Its inclusion underscores the importance of supply chain security in modern software development, allowing pnpm users to integrate vulnerability scanning directly into their development workflows. The command's functionality and options have evolved to align with industry best practices for auditing package dependencies.

npm-audit(1), yarn-audit(1), pnpm(1), pnpm-install(1)