MINI MINI MANI MO
<html><head>
<title>npm-audit</title>
<style>
body {
background-color: #ffffff;
color: #24292e;
margin: 0;
line-height: 1.5;
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji";
}
#rainbar {
height: 10px;
background-image: linear-gradient(139deg, #fb8817, #ff4b01, #c12127, #e02aff);
}
a {
text-decoration: none;
color: #0366d6;
}
a:hover {
text-decoration: underline;
}
pre {
margin: 1em 0px;
padding: 1em;
border: solid 1px #e1e4e8;
border-radius: 6px;
display: block;
overflow: auto;
white-space: pre;
background-color: #f6f8fa;
color: #393a34;
}
code {
font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace;
font-size: 85%;
padding: 0.2em 0.4em;
background-color: #f6f8fa;
color: #393a34;
}
pre > code {
padding: 0;
background-color: inherit;
color: inherit;
}
h1, h2, h3 {
font-weight: 600;
}
#logobar {
background-color: #333333;
margin: 0 auto;
padding: 1em 4em;
}
#logobar .logo {
float: left;
}
#logobar .title {
font-weight: 600;
color: #dddddd;
float: left;
margin: 5px 0 0 1em;
}
#logobar:after {
content: "";
display: block;
clear: both;
}
#content {
margin: 0 auto;
padding: 0 4em;
}
#table_of_contents > h2 {
font-size: 1.17em;
}
#table_of_contents ul:first-child {
border: solid 1px #e1e4e8;
border-radius: 6px;
padding: 1em;
background-color: #f6f8fa;
color: #393a34;
}
#table_of_contents ul {
list-style-type: none;
padding-left: 1.5em;
}
#table_of_contents li {
font-size: 0.9em;
}
#table_of_contents li a {
color: #000000;
}
header.title {
border-bottom: solid 1px #e1e4e8;
}
header.title > h1 {
margin-bottom: 0.25em;
}
header.title > .description {
display: block;
margin-bottom: 0.5em;
line-height: 1;
}
footer#edit {
border-top: solid 1px #e1e4e8;
margin: 3em 0 4em 0;
padding-top: 2em;
}
</style>
</head>
<body>
<div id="banner">
<div id="rainbar"></div>
<div id="logobar">
<svg class="logo" role="img" height="32" width="32" viewBox="0 0 700 700">
<polygon fill="#cb0000" points="0,700 700,700 700,0 0,0"></polygon>
<polygon fill="#ffffff" points="150,550 350,550 350,250 450,250 450,550 550,550 550,150 150,150"></polygon>
</svg>
<div class="title">
npm command-line interface
</div>
</div>
</div>
<section id="content">
<header class="title">
<h1 id="npm-audit">npm-audit</h1>
<span class="description">Run a security audit</span>
</header>
<section id="table_of_contents">
<h2 id="table-of-contents">Table of contents</h2>
<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#audit-endpoints">Audit Endpoints</a></li><ul><li><a href="#bulk-advisory-endpoint">Bulk Advisory Endpoint</a></li><li><a href="#quick-audit-endpoint">Quick Audit Endpoint</a></li><li><a href="#scrubbing">Scrubbing</a></li><li><a href="#calculating-meta-vulnerabilities-and-remediations">Calculating Meta-Vulnerabilities and Remediations</a></li></ul><li><a href="#exit-code">Exit Code</a></li><li><a href="#examples">Examples</a></li><li><a href="#see-also">See Also</a></li></ul></div>
</section>
<div id="_content"><h3 id="synopsis">Synopsis</h3>
<pre lang="bash"><code>npm audit [--json] [--production] [--audit-level=(low|moderate|high|critical)]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=(dev|prod)]
common options: [--production] [--only=(dev|prod)]
</code></pre>
<h3 id="description">Description</h3>
<p>The audit command submits a description of the dependencies configured in
your project to your default registry and asks for a report of known
vulnerabilities. If any vulnerabilities are found, then the impact and
appropriate remediation will be calculated. If the <code>fix</code> argument is
provided, then remediations will be applied to the package tree.</p>
<p>The command will exit with a 0 exit code if no vulnerabilities were found.</p>
<p>Note that some vulnerabilities cannot be fixed automatically and will
require manual intervention or review. Also note that since <code>npm audit fix</code> runs a full-fledged <code>npm install</code> under the hood, all configs that
apply to the installer will also apply to <code>npm install</code> – so things like
<code>npm audit fix --package-lock-only</code> will work as expected.</p>
<p>By default, the audit command will exit with a non-zero code if any
vulnerability is found. It may be useful in CI environments to include the
<code>--audit-level</code> parameter to specify the minimum vulnerability level that
will cause the command to fail. This option does not filter the report
output, it simply changes the command’s failure threshold.</p>
<h3 id="audit-endpoints">Audit Endpoints</h3>
<p>There are two audit endpoints that npm may use to fetch vulnerability
information: the <code>Bulk Advisory</code> endpoint and the <code>Quick Audit</code> endpoint.</p>
<h4 id="bulk-advisory-endpoint">Bulk Advisory Endpoint</h4>
<p>As of version 7, npm uses the much faster <code>Bulk Advisory</code> endpoint to
optimize the speed of calculating audit results.</p>
<p>npm will generate a JSON payload with the name and list of versions of each
package in the tree, and POST it to the default configured registry at
the path <code>/-/npm/v1/security/advisories/bulk</code>.</p>
<p>Any packages in the tree that do not have a <code>version</code> field in their
package.json file will be ignored. If any <code>--omit</code> options are specified
(either via the <code>--omit</code> config, or one of the shorthands such as
<code>--production</code>, <code>--only=dev</code>, and so on), then packages will be omitted
from the submitted payload as appropriate.</p>
<p>If the registry responds with an error, or with an invalid response, then
npm will attempt to load advisory data from the <code>Quick Audit</code> endpoint.</p>
<p>The expected result will contain a set of advisory objects for each
dependency that matches the advisory range. Each advisory object contains
a <code>name</code>, <code>url</code>, <code>id</code>, <code>severity</code>, <code>vulnerable_versions</code>, and <code>title</code>.</p>
<p>npm then uses these advisory objects to calculate vulnerabilities and
meta-vulnerabilities of the dependencies within the tree.</p>
<h4 id="quick-audit-endpoint">Quick Audit Endpoint</h4>
<p>If the <code>Bulk Advisory</code> endpoint returns an error, or invalid data, npm will
attempt to load advisory data from the <code>Quick Audit</code> endpoint, which is
considerably slower in most cases.</p>
<p>The full package tree as found in <code>package-lock.json</code> is submitted, along
with the following pieces of additional metadata:</p>
<ul>
<li><code>npm_version</code></li>
<li><code>node_version</code></li>
<li><code>platform</code></li>
<li><code>arch</code></li>
<li><code>node_env</code></li>
</ul>
<p>All packages in the tree are submitted to the Quick Audit endpoint.
Omitted dependency types are skipped when generating the report.</p>
<h4 id="scrubbing">Scrubbing</h4>
<p>Out of an abundance of caution, npm versions 5 and 6 would “scrub” any
packages from the submitted report if their name contained a <code>/</code> character,
so as to avoid leaking the names of potentially private packages or git
URLs.</p>
<p>However, in practice, this resulted in audits often failing to properly
detect meta-vulnerabilities, because the tree would appear to be invalid
due to missing dependencies, and prevented the detection of vulnerabilities
in package trees that used git dependencies or private modules.</p>
<p>This scrubbing has been removed from npm as of version 7.</p>
<h4 id="calculating-meta-vulnerabilities-and-remediations">Calculating Meta-Vulnerabilities and Remediations</h4>
<p>npm uses the
<a href="http://npm.im/@npmcli/metavuln-calculator"><code>@npmcli/metavuln-calculator</code></a>
module to turn a set of security advisories into a set of “vulnerability”
objects. A “meta-vulnerability” is a dependency that is vulnerable by
virtue of dependence on vulnerable versions of a vulnerable package.</p>
<p>For example, if the package <code>foo</code> is vulnerable in the range <code>>=1.0.2 <2.0.0</code>, and the package <code>bar</code> depends on <code>foo@^1.1.0</code>, then that version
of <code>bar</code> can only be installed by installing a vulnerable version of <code>foo</code>.
In this case, <code>bar</code> is a “metavulnerability”.</p>
<p>Once metavulnerabilities for a given package are calculated, they are
cached in the <code>~/.npm</code> folder and only re-evaluated if the advisory range
changes, or a new version of the package is published (in which case, the
new version is checked for metavulnerable status as well).</p>
<p>If the chain of metavulnerabilities extends all the way to the root
project, and it cannot be updated without changing its dependency ranges,
then <code>npm audit fix</code> will require the <code>--force</code> option to apply the
remediation. If remediations do not require changes to the dependency
ranges, then all vulnerable packages will be updated to a version that does
not have an advisory or metavulnerability posted against it.</p>
<h3 id="exit-code">Exit Code</h3>
<p>The <code>npm audit</code> command will exit with a 0 exit code if no vulnerabilities
were found. The <code>npm audit fix</code> command will exit with 0 exit code if no
vulnerabilities are found <em>or</em> if the remediation is able to successfully
fix all vulnerabilities.</p>
<p>If vulnerabilities were found the exit code will depend on the
<code>audit-level</code> configuration setting.</p>
<h3 id="examples">Examples</h3>
<p>Scan your project for vulnerabilities and automatically install any compatible
updates to vulnerable dependencies:</p>
<pre lang="bash"><code>$ npm audit fix
</code></pre>
<p>Run <code>audit fix</code> without modifying <code>node_modules</code>, but still updating the
pkglock:</p>
<pre lang="bash"><code>$ npm audit fix --package-lock-only
</code></pre>
<p>Skip updating <code>devDependencies</code>:</p>
<pre lang="bash"><code>$ npm audit fix --only=prod
</code></pre>
<p>Have <code>audit fix</code> install SemVer-major updates to toplevel dependencies, not
just SemVer-compatible ones:</p>
<pre lang="bash"><code>$ npm audit fix --force
</code></pre>
<p>Do a dry run to get an idea of what <code>audit fix</code> will do, and <em>also</em> output
install information in JSON format:</p>
<pre lang="bash"><code>$ npm audit fix --dry-run --json
</code></pre>
<p>Scan your project for vulnerabilities and just show the details, without
fixing anything:</p>
<pre lang="bash"><code>$ npm audit
</code></pre>
<p>Get the detailed audit report in JSON format:</p>
<pre lang="bash"><code>$ npm audit --json
</code></pre>
<p>Fail an audit only if the results include a vulnerability with a level of moderate or higher:</p>
<pre lang="bash"><code>$ npm audit --audit-level=moderate
</code></pre>
<h3 id="see-also">See Also</h3>
<ul>
<li><a href="../commands/npm-install.html">npm install</a></li>
<li><a href="../using-npm/config.html">config</a></li>
</ul>
</div>
<footer id="edit">
<a href="https://github.com/npm/cli/edit/latest/docs/content/commands/npm-audit.md">
<svg role="img" viewBox="0 0 16 16" width="16" height="16" fill="currentcolor" style="vertical-align: text-bottom; margin-right: 0.3em;">
<path fill-rule="evenodd" d="M11.013 1.427a1.75 1.75 0 012.474 0l1.086 1.086a1.75 1.75 0 010 2.474l-8.61 8.61c-.21.21-.47.364-.756.445l-3.251.93a.75.75 0 01-.927-.928l.929-3.25a1.75 1.75 0 01.445-.758l8.61-8.61zm1.414 1.06a.25.25 0 00-.354 0L10.811 3.75l1.439 1.44 1.263-1.263a.25.25 0 000-.354l-1.086-1.086zM11.189 6.25L9.75 4.81l-6.286 6.287a.25.25 0 00-.064.108l-.558 1.953 1.953-.558a.249.249 0 00.108-.064l6.286-6.286z"></path>
</svg>
Edit this page on GitHub
</a>
</footer>
</section>
</body></html>
OHA YOOOO