1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
<!doctype html>
<html>
<title>npm-audit</title>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="../../static/style.css">
<link rel="canonical" href="https://www.npmjs.org/doc/cli/npm-audit.html">
<script async=true src="../../static/toc.js"></script>
<body>
<div id="wrapper">
<h1><a href="../cli/npm-audit.html">npm-audit</a></h1> <p>Run a security audit</p>
<h2 id="synopsis">SYNOPSIS</h2>
<pre><code>npm audit [--json]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
</code></pre><h2 id="examples">EXAMPLES</h2>
<p>Scan your project for vulnerabilities and automatically install any compatible
updates to vulnerable dependencies:</p>
<pre><code>$ npm audit fix
</code></pre><p>Run <code>audit fix</code> without modifying <code>node_modules</code>, but still updating the
pkglock:</p>
<pre><code>$ npm audit fix --package-lock-only
</code></pre><p>Skip updating <code>devDependencies</code>:</p>
<pre><code>$ npm audit fix --only=prod
</code></pre><p>Have <code>audit fix</code> install semver-major updates to toplevel dependencies, not just
semver-compatible ones:</p>
<pre><code>$ npm audit fix --force
</code></pre><p>Do a dry run to get an idea of what <code>audit fix</code> will do, and <em>also</em> output
install information in JSON format:</p>
<pre><code>$ npm audit fix --dry-run --json
</code></pre><p>Scan your project for vulnerabilities and just show the details, without fixing
anything:</p>
<pre><code>$ npm audit
</code></pre><p>Get the detailed audit report in JSON format:</p>
<pre><code>$ npm audit --json
</code></pre><h2 id="description">DESCRIPTION</h2>
<p>The audit command submits a description of the dependencies configured in
your project to your default registry and asks for a report of known
vulnerabilities. The report returned includes instructions on how to act on
this information.</p>
<p>You can also have npm automatically fix the vulnerabilities by running <code>npm
audit fix</code>. Note that some vulnerabilities cannot be fixed automatically and
will require manual intervention or review. Also note that since <code>npm audit fix</code>
runs a full-fledged <code>npm install</code> under the hood, all configs that apply to the
installer will also apply to <code>npm install</code> -- so things like <code>npm audit fix
--package-lock-only</code> will work as expected.</p>
<h2 id="content-submitted">CONTENT SUBMITTED</h2>
<ul>
<li>npm_version</li>
<li>node_version</li>
<li>platform</li>
<li>node_env</li>
<li>A scrubbed version of your package-lock.json or npm-shrinkwrap.json</li>
</ul>
<h3 id="scrubbing">SCRUBBING</h3>
<p>In order to ensure that potentially sensitive information is not included in
the audit data bundle, some dependencies may have their names (and sometimes
versions) replaced with opaque non-reversible identifiers. It is done for
the following dependency types:</p>
<ul>
<li>Any module referencing a scope that is configured for a non-default
registry has its name scrubbed. (That is, a scope you did a <code>npm login --scope=@ourscope</code> for.)</li>
<li>All git dependencies have their names and specifiers scrubbed.</li>
<li>All remote tarball dependencies have their names and specifiers scrubbed.</li>
<li>All local directory and tarball dependencies have their names and specifiers scrubbed.</li>
</ul>
<p>The non-reversible identifiers are a sha256 of a session-specific UUID and the
value being replaced, ensuring a consistent value within the payload that is
different between runs.</p>
<h2 id="see-also">SEE ALSO</h2>
<ul>
<li><a href="../cli/npm-install.html">npm-install(1)</a></li>
<li><a href="../files/package-locks.html">package-locks(5)</a></li>
<li><a href="../misc/config.html">config(7)</a></li>
</ul>
</div>
<table border=0 cellspacing=0 cellpadding=0 id=npmlogo>
<tr><td style="width:180px;height:10px;background:rgb(237,127,127)" colspan=18> </td></tr>
<tr><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)"> </td><td style="width:40px;height:10px;background:#fff" colspan=4> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4> </td><td style="width:40px;height:10px;background:#fff" colspan=4> </td><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)"> </td><td colspan=6 style="width:60px;height:10px;background:#fff"> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4> </td></tr>
<tr><td colspan=2 style="width:20px;height:30px;background:#fff" rowspan=3> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3> </td><td style="width:10px;height:10px;background:#fff" rowspan=3> </td><td style="width:20px;height:10px;background:#fff" rowspan=4 colspan=2> </td><td style="width:10px;height:20px;background:rgb(237,127,127)" rowspan=2> </td><td style="width:10px;height:10px;background:#fff" rowspan=3> </td><td style="width:20px;height:10px;background:#fff" rowspan=3 colspan=2> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3> </td><td style="width:10px;height:10px;background:#fff" rowspan=3> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3> </td></tr>
<tr><td style="width:10px;height:10px;background:#fff" rowspan=2> </td></tr>
<tr><td style="width:10px;height:10px;background:#fff"> </td></tr>
<tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6> </td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)"> </td></tr>
<tr><td colspan=5 style="width:50px;height:10px;background:#fff"> </td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4> </td><td style="width:90px;height:10px;background:#fff" colspan=9> </td></tr>
</table>
<p id="footer">npm-audit — npm@6.1.0</p>
|
