Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, June 13, 2019

npm-audit (1)


npm-audit - Run a security audit


npm audit [--json|--parseable]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]


NPM-AUDIT(1)                                                      NPM-AUDIT(1)

       npm-audit - Run a security audit

         npm audit [--json|--parseable]
         npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]

       Scan  your  project  for  vulnerabilities and automatically install any
       compatible updates to vulnerable dependencies:

         $ npm audit fix

       Run audit fix without modifying node_modules, but  still  updating  the

         $ npm audit fix --package-lock-only

       Skip updating devDependencies:

         $ npm audit fix --only=prod

       Have  audit  fix install semver-major updates to toplevel dependencies,
       not just semver-compatible ones:

         $ npm audit fix --force

       Do a dry run to get an idea of what audit fix will do, and also  output
       install information in JSON format:

         $ npm audit fix --dry-run --json

       Scan  your project for vulnerabilities and just show the details, with-
       out fixing anything:

         $ npm audit

       Get the detailed audit report in JSON format:

         $ npm audit --json

       Get the detailed audit report in plain text result,  separated  by  tab
       characters, allowing for future reuse in scripting or command line post
       processing, like for example, selecting some of the columns printed:

         $ npm audit --parseable

       To parse columns, you can use for example awk, and just print  some  of

         $ npm audit --parseable | awk -F $'\t' '{print $1,$4}'

       The  audit command submits a description of the dependencies configured
       in your project to your default registry and asks for a report of known
       vulnerabilities.  The  report  returned includes instructions on how to
       act on this information.

       You can also have npm automatically fix the vulnerabilities by  running
       npm audit fix. Note that some vulnerabilities cannot be fixed automati-
       cally and will require manual intervention or review.  Also  note  that
       since npm audit fix runs a full-fledged npm install under the hood, all
       configs that apply to the installer will also apply to npm  install  --
       so things like npm audit fix --package-lock-only will work as expected.

       o npm_version

       o node_version

       o platform

       o node_env

       o A scrubbed version of your package-lock.json or npm-shrinkwrap.json

       In  order  to  ensure  that  potentially  sensitive  information is not
       included in the audit data bundle, some  dependencies  may  have  their
       names  (and  sometimes  versions)  replaced  with opaque non-reversible
       identifiers.  It is done for the following dependency types:

       o Any module referencing a scope that is configured for  a  non-default
         registry  has  its  name  scrubbed.   (That is, a scope you did a npm
         login --scope=@ourscope for.)

       o All git dependencies have their names and specifiers scrubbed.

       o All remote tarball  dependencies  have  their  names  and  specifiers

       o All  local  directory  and  tarball dependencies have their names and
         specifiers scrubbed.

       The non-reversible identifiers are a sha256 of a session-specific  UUID
       and  the  value  being replaced, ensuring a consistent value within the
       payload that is different between runs.

       See attributes(7) for descriptions of the following attributes:

       |Availability   | runtime/nodejs/nodejs-8 |
       |Stability      | Pass-thru volatile      |
       o npm help install

       o npm help 5 package-locks

       o npm help 7 config

       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source   was   downloaded   from     https://github.com/nodejs/node/ar-

       Further information about this software can be found on the open source
       community website at https://github.com/nodejs/node.

                                  August 2018                     NPM-AUDIT(1)