DEV Community


What is NPM audit?

Software Engineer from Vienna, Austria. Building things, mainly in JavaScript.
Originally published at on ・6 min read

NPM audit - build-in security. NPM (Node Package Manager) is the package manager for Node.js and allows JavaScript developers to share node modules. Read more about NPM in Intro to NPM.

In version 6 npm introduced a new command that lets you run a security audit with npm audit and assess your package dependencies for security vulnerabilities.

Let's explore how to use npm audit to evaluate the dependency tree recursively and safeguard the quality and integrity of our code.

What is NPM audit?

npm audit is a built-in security feature, that scans your project for security vulnerabilities. It provides an assessment report that contains details of the identified anomalies, potential fixes, and more.

It checks the current version of the installed packages in your project against known vulnerabilities reported on the public npm registry. If it discovers a security issue, it reports it. The report contains the level of severity of the identified vulnerability. The command will exit with a 0 exit code if no vulnerabilities were found.

The extent of severity is determined by the impact and exploitability of the issue. The level of severity and recommended actions are:

Level of Severity Recommended Actions
Critical resolve straightaway
High resolve as fast as possible
Moderate resolve as time allows
Low resolve at your discretion

💰: $100 (credits) for you to start your cloud journey with DigitalOcean!

Benefits of npm audit

npm audit offers the following advantages:

  • Big community of open source contributors, who endeavor to find and address vulnerabilities in npm packages.
  • Identifies the security issues clearly and labels them in terms of the level of severity.
  • If a fix has been published, it provides an out-of-the-box option for resolving the discovered anomalies.

How to run npm audit

Ensure you have npm v6 or higher installed, by typing in your shell:

npm -v
Enter fullscreen mode Exit fullscreen mode

If you have to upgrade run the following command to update to the latest version:

npm install npm@latest –g
Enter fullscreen mode Exit fullscreen mode

Whenever you install a package via npm, npm install, the npm audit command will automatically in the background and output the security report after successful installing the dependencies.

If you want to run it manually, just go to the src folder of your project and use the command:

npm audit
Enter fullscreen mode Exit fullscreen mode

The npm audit command requires a package-lock.json and, a package.json to be present.

The audit report will be printed in the console. If you want the report in JSON format, run:

npm audit --json
Enter fullscreen mode Exit fullscreen mode

You can also specify the audit result to contain a certain level of severity, for example only critical results

npm audit --audit-level=critical
Enter fullscreen mode Exit fullscreen mode

The full synopsis of npm audit is:

npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
Enter fullscreen mode Exit fullscreen mode

Take security serious and always check the report and take action as indicated.

How to fix security vulnerabilities

If vulnerabilities were found, you have two options:

  • Apply the suggested fix automatically
  • Take manual actions to fix them

1) Apply the suggested fix automatically. If you want npm to automatically fix the vulnerabilities, run npm audit fix. Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review. There will be additional output in the console.

Configs: npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install. Commands like npm audit fix --package-lock-only will work as expected.

If the update requires moving to a major version, then you’ll need to add the force flag:

npm audit fix --force
Enter fullscreen mode Exit fullscreen mode

2) Take manual actions: If there are no patches for the identified issues, the security audit report will give you more details on how to carry out manual investigations to address them.

You can take any of the following actions to resolve the vulnerabilities:

  • Look for mitigating factors: In some limited cases, you may continue consuming the package even when the weakness is still existing. For instance, the security risk may only be present on certain operating systems.
  • Update dependent packages: If a fix has been released, but the packages that depend on the vulnerable package have not been amended to reference the patched version, it may be necessary to undertake some manual interventions. You can start by locating the package, that should be updated by looking at the Path field on the security audit report. This will let you locate the vulnerable package, update the reference to the vulnerable package and, this may solve the security issue.
  • Fix the vulnerability yourself: If a patch has not been released and nobody is working on it, fix it yourself and submit a pull request.

npm audit is a very useful feature that can enhance the security of your code, you can identify vulnerabilities and get actionable instructions on how to get rid of the risks.

Thanks for reading and if you have any questions , use the comment function or send me a message @mariokandut.

If you want to know more about Node, have a look at these Node Tutorials.

References (and Big thanks):

WhiteSource, NPM audit

Discussion (0)