Audit and Fix Dependency Vulnerabilities

Beginner8 minTrending

Scan your project for known security vulnerabilities in dependencies, understand severity levels, and apply fixes safely.

Prerequisites

-Node.js and npm installed
-A project with package-lock.json

Steps

Run a security audit

Scan all dependencies for known vulnerabilities.

$ npm audit

View detailed audit report as JSON

Get machine-readable output for CI integration or detailed analysis.

$ npm audit --json | head -50

Pipe to jq for filtering: 'npm audit --json | jq '.vulnerabilities | to_entries[] | select(.value.severity=="critical")'

Auto-fix compatible vulnerabilities

Automatically update packages to patched versions within semver range.

$ npm audit fix

npm audit fix only updates within the current semver range. It will not make breaking changes to your dependency tree.

Force-fix with major version updates

Apply fixes that may include breaking semver changes.

$ npm audit fix --force --dry-run

Always use --dry-run first to review changes. Force-fixing can introduce breaking changes that require code updates.

Check audit in CI with exit codes

Fail CI builds when critical or high vulnerabilities are found.

$ npm audit --audit-level=high

Use --audit-level to set the minimum severity that causes a non-zero exit code: info, low, moderate, high, critical.

Full Script

full-script.sh

#!/bin/bash
# npm Security Audit Workflow
set -euo pipefail

echo "=== Dependency Audit Report ==="
npm audit 2>/dev/null || true

echo ""
echo "=== Vulnerability Summary ==="
npm audit --json 2>/dev/null | node -e "
  const data = JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));
  const meta = data.metadata?.vulnerabilities || {};
  console.log('Critical:', meta.critical || 0);
  console.log('High:    ', meta.high || 0);
  console.log('Moderate:', meta.moderate || 0);
  console.log('Low:     ', meta.low || 0);
  console.log('Info:    ', meta.info || 0);
  console.log('Total:   ', meta.total || 0);
" 2>/dev/null || echo "Could not parse audit data"

echo ""
echo "=== Safe Auto-Fix Preview ==="
npm audit fix --dry-run 2>/dev/null || echo "No auto-fixes available"

echo ""
echo "=== Commands ==="
echo "Auto-fix (safe):     npm audit fix"
echo "Auto-fix (breaking): npm audit fix --force --dry-run  (preview first!)"
echo "CI gate:             npm audit --audit-level=high"

FAQ

Discussion

Loading comments...

#!/bin/bash # npm Security Audit Workflow set -euo pipefail echo "=== Dependency Audit Report ===" npm audit 2>/dev/null || true echo "" echo "=== Vulnerability Summary ===" npm audit --json 2>/dev/null | node -e " const data = JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')); const meta = data.metadata?.vulnerabilities || {}; console.log('Critical:', meta.critical || 0); console.log('High: ', meta.high || 0); console.log('Moderate:', meta.moderate || 0); console.log('Low: ', meta.low || 0); console.log('Info: ', meta.info || 0); console.log('Total: ', meta.total || 0); " 2>/dev/null || echo "Could not parse audit data" echo "" echo "=== Safe Auto-Fix Preview ===" npm audit fix --dry-run 2>/dev/null || echo "No auto-fixes available" echo "" echo "=== Commands ===" echo "Auto-fix (safe): npm audit fix" echo "Auto-fix (breaking): npm audit fix --force --dry-run (preview first!)" echo "CI gate: npm audit --audit-level=high"