A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package's users by enabling you to find and fix known vulnerabilities in dependencies that could cause data loss, service outages, unauthorized access to sensitive information, or other issues.
npm audit
Note: The npm audit
command is available in npm@6. To upgrade, run npm install npm@latest -g
.
The npm audit
command submits a description of the dependencies configured in your package to your default registry and asks for a report of known vulnerabilities. npm audit
checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.
npm audit
automatically runs when you install a package with npm install
. You can also run npm audit
manually on your locally installed packages to conduct a security audit of the package and produce a report of dependency vulnerabilities and, if available, suggested patches.
cd path/to/your-package-name
and pressing Enter.package.json
and package-lock.json
files.npm audit
and press Enter.EAUDITNOPJSON
and EAUDITNOLOCK
errorsnpm audit
requires packages to have package.json
and package-lock.json
files.
EAUDITNOPJSON
error, create a package.json
file by following the steps in "Creating a package.json file".EAUDITNOLOCK
error, make sure your package has a package.json
file, then create the package lock file by running npm i --package-lock-only
.Running npm audit
will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, path, and other information, and, if available, commands to apply patches to resolve vulnerabilities. For more information on the fields in the audit report, see "About audit reports"
If security vulnerabilities are found and updates are available, you can either:
npm audit fix
subcommand to automatically install compatible updates to vulnerable dependencies.If the recommended action is a potential breaking change (semantic version major change), it will be followed by a SEMVER WARNING
that says "SEMVER WARNING: Recommended action is a potentially breaking change". If the package with the vulnerability has changed its API, you may need to make additional changes to your package's code.
If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.
To address the vulnerability, you can
Review the security advisory in the "More info" field for mitigating factors that may allow you to continue using the package with the vulnerability in limited cases. For example, the vulnerability may only exist when the code is used on specific operating systems, or when a specific function is called.
If a fix exists but packages that depend on the package with the vulnerability have not been updated to include the fixed version, you may want to open a pull or merge request on the dependent package repository to use the fixed version.
@package-name > dependent-package > package-with-vulnerability
, you will need to update dependent-package
.npm update
.If a fix does not exist, you may want to suggest changes that address the vulnerability to the package maintainer in a pull or merge request on the package repository.
If you do not want to fix the vulnerability or update the dependent package yourself, open an issue in the package or dependent package issue tracker.
If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package dependency tree. Since the advisory database can be updated at any time, we recommend regularly running npm audit
manually, or adding npm audit
to your continuous integration process.
npm audit
on package installationTo turn off npm audit
when installing a single package, use the --no-audit
flag:
npm install example-package-name --no-audit
For more information, see the npm-install
command.
To turn off npm audit
when installing all packages, set the audit
setting to false
in your user and global npmrc config files:
npm set audit false
For more information, see the npm-config
management command and the npm-config
audit setting.
© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.
https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities