What is NPM audit?
© https://nodejs.org/en/
Blog /what-is-npm-audit-and-how-to-increase-security/

What is NPM audit?

Take advantage of the build-in security tool

ByMario Kandut

Posted

Updated

3 min read
nodejavascriptnpm
Share on TwitterTweet
honey pot logo

Europe’s developer-focused job platform

Let companies apply to you

Developer-focused, salary and tech stack upfront.

Just one profile, no job applications!

This article is based on Node v16.15.1 and NPM 8.11.0.

NPM audit - build-in security. NPM (Node Package Manager) is the package manager for Node.js and allows JavaScript developers to share node modules. Read more about NPM in Intro to NPM.

💰 The Pragmatic Programmer: journey to mastery. 💰 One of the best books in software development, sold over 200,000 times.

In version 6 npm introduced a new command that lets you run a security audit with npm audit and assess your package dependencies for security vulnerabilities.

Let's explore how to use npm audit to evaluate the dependency tree recursively and safeguard the quality and integrity of our code.

What is NPM audit?

npm audit is a built-in security feature, that scans your project for security vulnerabilities. It provides an assessment report that contains details of the identified anomalies, potential fixes, and more.

It checks the current version of the installed packages in your project against known vulnerabilities reported on the public npm registry. If it discovers a security issue, it reports it. The report contains the level of severity of the identified vulnerability. The command will exit with a 0 exit code if no vulnerabilities were found.

The extent of severity is determined by the impact and exploitability of the issue. The level of severity and recommended actions are:

Level of Severity Recommended Actions
Critical resolve straightaway
High resolve as fast as possible
Moderate resolve as time allows
Low resolve at your discretion

Benefits of npm audit

npm audit offers the following advantages:

  • Big community of open source contributors, who endeavor to find and address vulnerabilities in npm packages.
  • Identifies the security issues clearly and labels them in terms of the level of severity.
  • If a fix has been published, it provides an out-of-the-box option for resolving the discovered anomalies.

How to run npm audit

Ensure you have npm v6 or higher installed, by typing in your shell:

npm -v

If you have to upgrade run the following command to update to the latest version:

npm install npm@latest –g

Whenever you install a package via npm, npm install, the npm audit command will automatically in the background and output the security report after successful installing the dependencies.

If you want to run it manually, just go to the src folder of your project and use the command:

npm audit

The npm audit command requires a package-lock.json and, a package.json to be present.

The audit report will be printed in the console. If you want the report in JSON format, run:

npm audit --json

You can also specify the audit result to contain a certain level of severity, for example only critical results

npm audit --audit-level=critical

The full synopsis of npm audit is:

npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]

Take security serious and always check the report and take action as indicated.

How to fix security vulnerabilities

If vulnerabilities were found, you have two options:

  • Apply the suggested fix automatically
  • Take manual actions to fix them

1) Apply the suggested fix automatically. If you want npm to automatically fix the vulnerabilities, run npm audit fix. Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review. There will be additional output in the console.

Configs: npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install. Commands like npm audit fix --package-lock-only will work as expected.

If the update requires moving to a major version, then you’ll need to add the force flag:

npm audit fix --force

2) Take manual actions: If there are no patches for the identified issues, the security audit report will give you more details on how to carry out manual investigations to address them.

You can take any of the following actions to resolve the vulnerabilities:

  • Look for mitigating factors: In some limited cases, you may continue consuming the package even when the weakness is still existing. For instance, the security risk may only be present on certain operating systems.
  • Update dependent packages: If a fix has been released, but the packages that depend on the vulnerable package have not been amended to reference the patched version, it may be necessary to undertake some manual interventions. You can start by locating the package, that should be updated by looking at the Path field on the security audit report. This will let you locate the vulnerable package, update the reference to the vulnerable package and, this may solve the security issue.
  • Fix the vulnerability yourself: If a patch has not been released and nobody is working on it, fix it yourself and submit a pull request.

npm audit is a very useful feature that can enhance the security of your code, you can identify vulnerabilities and get actionable instructions on how to get rid of the risks.

Thanks for reading and if you have any questions, use the comment function or send me a message @mariokandut.

If you want to know more about Node, have a look at these Node Tutorials.

References (and Big thanks):

WhiteSource, NPM audit

More node articles:

Getting started with Webpack

How to list/debug npm packages?

How to specify a Node.js version

How to create a web server in Node.js

How to dynamically load ESM in CJS

How to convert a CJS module to an ESM

How to create a CJS module

How to stream to an HTTP response

How to handle binary data in Node.js?

How to use streams to ETL data?

How to connect streams with pipeline?

How to handle stream errors?

How to connect streams with pipe?

What Is a Node.js Stream?

Handling Errors in Node (asynchronous)

Handling Errors in Node.js (synchronous)

Introduction to errors in Node.js

Callback to promise-based functions

ETL: Load Data to Destination with Node.js

ETL: Transform Data with Node.js

ETL: Extract Data with Node.js

Event Emitters in Node.js

How to set up SSL locally with Node.js?

How to use async/await in Node.js

What is an API proxy?

How to make an API request in Node.js?

How does the Event Loop work in Node.js

How to wait for multiple Promises?

How to organize Node.js code

Understanding Promises in Node.js

How does the Node.js module system work?

Set up and test a .env file in Node

How to Use Environment Variables in Node

How to clean up node modules?

Restart a Node.js app automatically

How to update a Node dependency - NPM?

What are NPM scripts?

How to uninstall npm packages?

How to install npm packages?

How to create a package.json file?

What Is the Node.js ETL Pipeline?

What is data brokering in Node.js?

How to read and write JSON Files with Node.js?

What is package-lock.json?

How to install Node.js locally with nvm?

How to update Node.js?

How to check unused npm packages?

What is the Node.js fs module?

What is Semantic versioning?

The Basics of Package.json explained

How to patch an NPM dependency

What is NPM audit?

Beginner`s guide to NPM

Getting started with Node.js

Scroll to top ↑
Github Mario Kandutlinkedin mario kandutMario's DEV ProfileMario's Stackoverflow ProfileMario's Medium ProfileMario's Angellist Profile

Privacy Policy | Legal Notice

Made with by mariokandut