npm audit [--json]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies:
$ npm audit fix
Run audit fix without modifying node_modules, but still updating the
pkglock:
$ npm audit fix --package-lock-only
Skip updating devDependencies:
$ npm audit fix --only=prod
Have audit fix install semver-major updates to toplevel dependencies, not just
semver-compatible ones:
$ npm audit fix --force
Do a dry run to get an idea of what audit fix will do, and also output
install information in JSON format:
$ npm audit fix --dry-run --json
Scan your project for vulnerabilities and just show the details, without fixing anything:
$ npm audit
Get the detailed audit report in JSON format:
$ npm audit --json
The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities. The report returned includes instructions on how to act on this information.
You can also have npm automatically fix the vulnerabilities by running npm audit fix. Note that some vulnerabilities cannot be fixed automatically and
will require manual intervention or review. Also note that since npm audit fix
runs a full-fledged npm install under the hood, all configs that apply to the
installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected.
In order to ensure that potentially sensitive information is not included in the audit data bundle, some dependencies may have their names (and sometimes versions) replaced with opaque non-reversible identifiers. It is done for the following dependency types:
npm login [email protected] for.)The non-reversible identifiers are a sha256 of a session-specific UUID and the value being replaced, ensuring a consistent value within the payload that is different between runs.
Last modified October 26, 1985 Found a typo? Send a pull request!