Take advantage of the build-in security tool
In version 6 npm introduced a new command that lets you run a security audit with
npm audit and assess your package dependencies for security vulnerabilities.
Let's explore how to use npm audit to evaluate the dependency tree recursively and safeguard the quality and integrity of our code.
npm audit is a built-in security feature, that scans your project for security vulnerabilities. It provides an assessment report that contains details of the identified anomalies, potential fixes, and more.
It checks the current version of the installed packages in your project against known vulnerabilities reported on the public npm registry. If it discovers a security issue, it reports it. The report contains the level of severity of the identified vulnerability. The command will exit with a 0 exit code if no vulnerabilities were found.
The extent of severity is determined by the impact and exploitability of the issue. The level of severity and recommended actions are:
|Level of Severity||Recommended Actions|
|High||resolve as fast as possible|
|Moderate||resolve as time allows|
|Low||resolve at your discretion|
npm audit offers the following advantages:
Ensure you have npm v6 or higher installed, by typing in your shell:
If you have to upgrade run the following command to update to the latest version:
npm install [email protected] –g
Whenever you install a package via npm,
npm install, the npm audit command will automatically in the background and output the security report after successful installing the dependencies.
If you want to run it manually, just go to the
src folder of your project and use the command:
The npm audit command requires a package-lock.json and, a package.json to be present.
The audit report will be printed in the console. If you want the report in JSON format, run:
npm audit --json
You can also specify the audit result to contain a certain level of severity, for example only
npm audit --audit-level=critical
The full synopsis of
npm audit is:
npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
Take security serious and always check the report and take action as indicated.
If vulnerabilities were found, you have two options:
1) Apply the suggested fix automatically. If you want npm to automatically fix the vulnerabilities, run
npm audit fix.
Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review.
There will be additional output in the console.
Configs: npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install.
npm audit fix --package-lock-only will work as expected.
If the update requires moving to a major version, then you’ll need to add the force flag:
npm audit fix --force
2) Take manual actions: If there are no patches for the identified issues, the security audit report will give you more details on how to carry out manual investigations to address them.
You can take any of the following actions to resolve the vulnerabilities:
npm audit is a very useful feature that can enhance the security of your code, you can identify vulnerabilities and get actionable instructions on how to get rid of the risks.
Thanks for reading and if you have any questions, use the comment function or send me a message @mariokandut.
References (and Big thanks):
Find this post useful?Buy me a beer
3 min read
Fix a bug in a dependency without waiting for the maintainer
4 min read
Getting started with the Node Package Manager
6 min read