In version 6 npm introduced a new command that lets you run a security audit with
npm audit and assess your package dependencies for security vulnerabilities.
Let's explore how to use npm audit to evaluate the dependency tree recursively and safeguard the quality and integrity of our code.
npm audit is a built-in security feature, that scans your project for security vulnerabilities. It provides an assessment report that contains details of the identified anomalies, potential fixes, and more.
It checks the current version of the installed packages in your project against known vulnerabilities reported on the public npm registry. If it discovers a security issue, it reports it. The report contains the level of severity of the identified vulnerability. The command will exit with a 0 exit code if no vulnerabilities were found.
The extent of severity is determined by the impact and exploitability of the issue. The level of severity and recommended actions are:
|Level of Severity||Recommended Actions|
|High||resolve as fast as possible|
|Moderate||resolve as time allows|
|Low||resolve at your discretion|
npm audit offers the following advantages:
- Big community of open source contributors, who endeavor to find and address vulnerabilities in npm packages.
- Identifies the security issues clearly and labels them in terms of the level of severity.
- If a fix has been published, it provides an out-of-the-box option for resolving the discovered anomalies.
Ensure you have npm v6 or higher installed, by typing in your shell:
If you have to upgrade run the following command to update to the latest version:
npm install npm@latest –g
Whenever you install a package via npm,
npm install, the npm audit command will automatically in the background and output the security report after successful installing the dependencies.
If you want to run it manually, just go to the
src folder of your project and use the command:
The npm audit command requires a package-lock.json and, a package.json to be present.
The audit report will be printed in the console. If you want the report in JSON format, run:
npm audit --json
You can also specify the audit result to contain a certain level of severity, for example only
npm audit --audit-level=critical
The full synopsis of
npm audit is:
npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
Take security serious and always check the report and take action as indicated.
If vulnerabilities were found, you have two options:
- Apply the suggested fix automatically
- Take manual actions to fix them
1) Apply the suggested fix automatically. If you want npm to automatically fix the vulnerabilities, run
npm audit fix. Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review. There will be additional output in the console.
Configs: npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install. Commands like
npm audit fix --package-lock-only will work as expected.
If the update requires moving to a major version, then you’ll need to add the force flag:
npm audit fix --force
2) Take manual actions: If there are no patches for the identified issues, the security audit report will give you more details on how to carry out manual investigations to address them.
You can take any of the following actions to resolve the vulnerabilities:
- Look for mitigating factors: In some limited cases, you may continue consuming the package even when the weakness is still existing. For instance, the security risk may only be present on certain operating systems.
- Update dependent packages: If a fix has been released, but the packages that depend on the vulnerable package have not been amended to reference the patched version, it may be necessary to undertake some manual interventions. You can start by locating the package, that should be updated by looking at the Path field on the security audit report. This will let you locate the vulnerable package, update the reference to the vulnerable package and, this may solve the security issue.
- Fix the vulnerability yourself: If a patch has not been released and nobody is working on it, fix it yourself and submit a pull request.
npm audit is a very useful feature that can enhance the security of your code, you can identify vulnerabilities and get actionable instructions on how to get rid of the risks.
Thanks for reading and if you have any questions , use the comment function or send me a message @mariokandut.
References (and Big thanks):