The npm blog has been discontinued.
`npm audit`: identify and fix insecure dependencies
Last month, we announced npm@6, which includes a powerful new tool to protect the safety of your code,
npm audit. Together with new automatic alerts when a user installs code with a known security risk,
audit is a dramatic step to ensure the quality and integrity of the code you use, and protect the world’s largest community of open source software developers.
Read on to learn more about
audit and how we’re working to help you develop with confidence.
npm audit is a new command that performs a moment-in-time security review of your project’s dependency tree. Audit reports contain information about security vulnerabilities in your dependencies and can help you fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting.
You can start using
npm audit right now by updating to the latest version of npm. Just type
npm install npm -g.
Here is an example of running npm audit against
cd your-fantastic-app npm audit
The results should look like this:
We’ve also built in a summary security report into
npm install if vulnerabilities are found during installation:
Or when no vulnerabilities are found:
You can learn more about how to run a security audit on the npm documentation site
What if I’m using a previous version of npm?
npm audit is available in firstname.lastname@example.org and npm@6. Prior versions of npm will receive vulnerability messages similar to the following:
npm-notice: [SECURITY] marked has 3 high, and 2 moderate vulnerabilities. Go here for more details: [https://nodesecurity.io/advisories?search=marked&version=0.3.0](https://nodesecurity.io/advisories?search=marked&version=0.3.0) - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
We’re not aware of any third-party registry clients that currently support displaying the
npm-notify header, so users of these tools will not receive vulnerability messages. For maximum protection against unsafe code, all users should use npm@6.
In the short term, these new alerts and
npm audit will raise developers’ awareness of known security vulnerabilities within their applications.They also provide actionable guidance to eliminate the identified risks.
In the longer term, prominent vulnerability warnings and actionable security alerts will raise the floor for everyone. When a developer of a popular package notices they have been bringing in a vulnerable dependency and switches to using a fixed version, instead, every package that depends upon this popular package will now grow safer, too. Everyone stands to benefit from this network effect.
Security is a process, not a project—it’s never done. We will continue to work to improve the security of the npm Registry and the code you write, and we’re excited by what’s in the works in coming weeks and months.
Already, we’ve announced that package signing is on its way. This will allow users of npm packages to verify the integrity of the package regardless of the tools they use to retrieve it or the registry from which they download it.
After this, expect a summer full of products that empower security-focused teams and enterprises by augmenting the tools we’ve announced today. Watch this space.
Update: We’ve added
npm audit fix which combines all the actionable, semver-compatible reports from your audit and runs them for you. You can read more about it in the v6.1.0 release notes.