npm auditresults overwhelming you? This library helps you resolve them step by step.
It can be really overwhelming to stare at an npm audit report with 50+ vulnerabilities. Where do you start?
npm-audit-helper helps answer that question, by providing smaller sets of output and a few hints. Example output:
found 155 vulnerabilities in 22715 scanned packages3 vulnerabilities require manual review. See the full report
All you need to do is run
npm audit --json and pipe the output to
npm-audit-helper. There are a few different installation options:
npx (no installation)
npm audit --json | npx npm-audit-helper
npm install -g npm-audit-helpernpm audit --json | npm-audit-helper
npm install --save-dev npm-audit-helper
- Create task in
"scripts":// ..."vuln": "npm audit --json | npm-audit-helper"
npm run vuln
This last approach is great for setting up a
prepush hook with a tool like
npm-audit-helper will return a non-zero exit code if vulnerabilities are found.
||Return a zero exit code even when there are vulnerabilities. Useful while you're working your way down to 0 vulnerabilities||
||Filter out vulnerability information for
6.1.0because it relies on the
npm install -g npmto upgrade.
npm-audit-helperwon't work if it's piped invalid JSON, so you should check the output of
npm audit --jsonif you have any trouble. A likely cause of invalid JSON is additional
npmlogging, so check the
logleveloption in your
- This has been tested on *nix, not Windows. Let me know if you use Windows and you'd like to use this library by opening an issue.
npm audit hints
- You can get
npm auditto ignore issues of a certain severity (but only for its exit code) by setting the
- You can tell
npm audit fixto only fix production dependencies with
npm audit fix --only=prod.
- If you want to add exclusions to your project (i.e. these are vulnerabilities I've reviewed and want to ignore), take a look at npm-audit-resolver. There is an RFC open to get
npm audit resolvebuilt into
Note on NSP
I wrote this library while helping my company migrate from using the Node Security Project, which will be decommissioned soon. I found that
npm audit found many more vulnerabilities than our
nsp output used to, which meant that I needed a little help to see which issues to focus on first.