npm Audit and Dependency Security

Beginner5 minTrending

Scan Node.js dependencies for known vulnerabilities using npm audit and integrate security checks into your workflow.

Prerequisites

-Node.js and npm installed

Steps

Run npm audit to scan dependencies

Scan all installed dependencies against the npm advisory database for known vulnerabilities.

$ npm audit

npm audit checks both direct and transitive dependencies. Run it regularly, not just during installs.

Fix vulnerabilities automatically

Let npm attempt to resolve vulnerabilities by updating to patched versions within your semver range.

$ npm audit fix

The --force flag can introduce breaking changes by updating major versions. Avoid it unless you can test thoroughly.

Review detailed vulnerability information

Get a JSON report for programmatic analysis or detailed review of each vulnerability.

$ npm audit --json | node -e "const d=require('fs').readFileSync('/dev/stdin','utf8'); const r=JSON.parse(d); console.log('Total:', r.metadata.vulnerabilities.total); console.log('Critical:', r.metadata.vulnerabilities.critical); console.log('High:', r.metadata.vulnerabilities.high);"

Add audit to CI pipeline

Fail your CI build if high or critical vulnerabilities are found in dependencies.

$ npm audit --audit-level=high

Use --audit-level to set the minimum severity that causes a non-zero exit code: low, moderate, high, or critical.

Check for outdated packages

List packages that have newer versions available, as outdated packages often have unpatched vulnerabilities.

$ npm outdated

Full Script

full-script.sh

#!/bin/bash
set -euo pipefail

# Node.js Security Audit Script

echo "==> Running npm audit..."
npm audit 2>&1 | tee /tmp/npm-audit.txt || true

echo ""
echo "==> Vulnerability summary:"
npm audit --json 2>/dev/null | node -e "
  let data = '';
  process.stdin.on('data', c => data += c);
  process.stdin.on('end', () => {
    try {
      const r = JSON.parse(data);
      const v = r.metadata?.vulnerabilities || {};
      console.log('  Critical:', v.critical || 0);
      console.log('  High:', v.high || 0);
      console.log('  Moderate:', v.moderate || 0);
      console.log('  Low:', v.low || 0);
      console.log('  Info:', v.info || 0);
      console.log('  Total:', v.total || 0);
    } catch(e) {
      console.log('  Could not parse audit output');
    }
  });
" || true

echo ""
echo "==> Attempting automatic fix..."
npm audit fix --dry-run 2>&1 | tail -5

echo ""
read -p "Apply fixes? (y/n): " CONFIRM
if [ "$CONFIRM" = "y" ]; then
  npm audit fix
  echo "==> Fixes applied. Run 'npm test' to verify nothing broke."
else
  echo "==> Skipped. Review manually with: npm audit"
fi

echo ""
echo "==> Checking for outdated packages..."
npm outdated 2>/dev/null || echo "All packages up to date."

FAQ

Discussion

Loading comments...

#!/bin/bash set -euo pipefail # Node.js Security Audit Script echo "==> Running npm audit..." npm audit 2>&1 | tee /tmp/npm-audit.txt || true echo "" echo "==> Vulnerability summary:" npm audit --json 2>/dev/null | node -e " let data = ''; process.stdin.on('data', c => data += c); process.stdin.on('end', () => { try { const r = JSON.parse(data); const v = r.metadata?.vulnerabilities || {}; console.log(' Critical:', v.critical || 0); console.log(' High:', v.high || 0); console.log(' Moderate:', v.moderate || 0); console.log(' Low:', v.low || 0); console.log(' Info:', v.info || 0); console.log(' Total:', v.total || 0); } catch(e) { console.log(' Could not parse audit output'); } }); " || true echo "" echo "==> Attempting automatic fix..." npm audit fix --dry-run 2>&1 | tail -5 echo "" read -p "Apply fixes? (y/n): " CONFIRM if [ "$CONFIRM" = "y" ]; then npm audit fix echo "==> Fixes applied. Run 'npm test' to verify nothing broke." else echo "==> Skipped. Review manually with: npm audit" fi echo "" echo "==> Checking for outdated packages..." npm outdated 2>/dev/null || echo "All packages up to date."