node package manager


Command line scanner looking for use of known vulnerable js files and node modules in web projects and/or node projects.


npm install -g retire


Usage: retire [options]


-h, --help              output usage information
-V, --version           output the version number

-p, --package           limit node scan to packages where parent is a dependency mentioned in package.json (ignore node_modules and devDependencies)
-n, --node              Run node dependency scan only
-j, --js                Run scan of JavaScript files only
-v, --verbose           Show identified files (by default only vulnerable files are shown)
-x, --dropexternal      Don't include project provided vulnerability repository
-c, --nocache           Don't use local cache

--jspath <path>         Folder to scan for javascript files
--nodepath <path>       Folder to scan for node files
--path <path>           Folder to scan for both
--jsrepo <path|url>     Local or internal version of repo
--noderepo <path|url>   Local or internal version of repo
--proxy <url>           Proxy url (http://some.server:8080)
--outputformat <format> Valid formats: text, json
--outputpath <path>     File to which output should be written
--ignore <paths>        Comma delimited list of paths to ignore
--ignorefile <path>     Custom .retireignore file, defaults to .retireignore
--severity <level>      Specify the bug severity level from which the process fails. Allowed levels none, low, medium, high, critical. Default: none
--exitwith <code>       Custom exit code (default: 13) when vulnerabilities are found


@qs                                                             # ignore this module regardless of location
node_modules/connect/node_modules/body-parser/node_modules/qs   # ignore specific path

Due to a bug in ignore resolving, please upgrade to >= 1.1.3


        "component": "jquery",
        "identifiers" : { "issue": "2432"},
        "justification" : "We dont call external resources with jQuery"
        "component": "jquery",
        "version" : "2.1.4",
        "justification" : "We dont call external resources with jQuery"
        "path" : "node_modules",
        "justification" : "The node modules are only used for building - client side dependencies are using bower"


Source code / Reporting an issue

The source code and issue tracker can be found at