Home Explore Help
Sign In
CocoRoboLabs
/
CocoRoboDesktop
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d6262b52a8
Branches Tags
CocoRoboDesk...
/
pdf1.js
/
node_modules
/
npm
/
man
/
man1
/
npm-audit.1

npm-audit.1 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 
  1. .TH "NPM\-AUDIT" "1" "August 2021" "" ""
    2. 

  2. .SH "NAME"
    3. 

  3. \fBnpm-audit\fR \- Run a security audit
    4. 

  4. .SS Synopsis
    5. 

  5. .P
    6. 

  6. .RS 2
    7. 

  7. .nf
    8. 

  8. npm audit [\-\-json|\-\-parseable|\-\-audit\-level=(low|moderate|high|critical)]
    9. 

  9. npm audit fix [\-\-force|\-\-package\-lock\-only|\-\-dry\-run]
    10. 

  10. 

  11. common options: [\-\-production] [\-\-only=(dev|prod)]
    12. 

  12. .fi
    13. 

  13. .RE
    14. 

  14. .SS Examples
    15. 

  15. .P
    16. 

  16. Scan your project for vulnerabilities and automatically install any compatible
    17. 

  17. updates to vulnerable dependencies:
    18. 

  18. .P
    19. 

  19. .RS 2
    20. 

  20. .nf
    21. 

  21. $ npm audit fix
    22. 

  22. .fi
    23. 

  23. .RE
    24. 

  24. .P
    25. 

  25. Run \fBaudit fix\fP without modifying \fBnode_modules\fP, but still updating the
    26. 

  26. pkglock:
    27. 

  27. .P
    28. 

  28. .RS 2
    29. 

  29. .nf
    30. 

  30. $ npm audit fix \-\-package\-lock\-only
    31. 

  31. .fi
    32. 

  32. .RE
    33. 

  33. .P
    34. 

  34. Skip updating \fBdevDependencies\fP:
    35. 

  35. .P
    36. 

  36. .RS 2
    37. 

  37. .nf
    38. 

  38. $ npm audit fix \-\-only=prod
    39. 

  39. .fi
    40. 

  40. .RE
    41. 

  41. .P
    42. 

  42. Have \fBaudit fix\fP install semver\-major updates to toplevel dependencies, not just
    43. 

  43. semver\-compatible ones:
    44. 

  44. .P
    45. 

  45. .RS 2
    46. 

  46. .nf
    47. 

  47. $ npm audit fix \-\-force
    48. 

  48. .fi
    49. 

  49. .RE
    50. 

  50. .P
    51. 

  51. Do a dry run to get an idea of what \fBaudit fix\fP will do, and \fIalso\fR output
    52. 

  52. install information in JSON format:
    53. 

  53. .P
    54. 

  54. .RS 2
    55. 

  55. .nf
    56. 

  56. $ npm audit fix \-\-dry\-run \-\-json
    57. 

  57. .fi
    58. 

  58. .RE
    59. 

  59. .P
    60. 

  60. Scan your project for vulnerabilities and just show the details, without fixing
    61. 

  61. anything:
    62. 

  62. .P
    63. 

  63. .RS 2
    64. 

  64. .nf
    65. 

  65. $ npm audit
    66. 

  66. .fi
    67. 

  67. .RE
    68. 

  68. .P
    69. 

  69. Get the detailed audit report in JSON format:
    70. 

  70. .P
    71. 

  71. .RS 2
    72. 

  72. .nf
    73. 

  73. $ npm audit \-\-json
    74. 

  74. .fi
    75. 

  75. .RE
    76. 

  76. .P
    77. 

  77. Get the detailed audit report in plain text result, separated by tab characters, allowing for
    78. 

  78. future reuse in scripting or command line post processing, like for example, selecting
    79. 

  79. some of the columns printed:
    80. 

  80. .P
    81. 

  81. .RS 2
    82. 

  82. .nf
    83. 

  83. $ npm audit \-\-parseable
    84. 

  84. .fi
    85. 

  85. .RE
    86. 

  86. .P
    87. 

  87. To parse columns, you can use for example \fBawk\fP, and just print some of them:
    88. 

  88. .P
    89. 

  89. .RS 2
    90. 

  90. .nf
    91. 

  91. $ npm audit \-\-parseable | awk \-F $'\\t' '{print $1,$4}'
    92. 

  92. .fi
    93. 

  93. .RE
    94. 

  94. .P
    95. 

  95. Fail an audit only if the results include a vulnerability with a level of moderate or higher:
    96. 

  96. .P
    97. 

  97. .RS 2
    98. 

  98. .nf
    99. 

  99. $ npm audit \-\-audit\-level=moderate
    100. 

  100. .fi
    101. 

  101. .RE
    102. 

  102. .SS Description
    103. 

  103. .P
    104. 

  104. The audit command submits a description of the dependencies configured in
    105. 

  105. your project to your default registry and asks for a report of known
    106. 

  106. vulnerabilities\. The report returned includes instructions on how to act on
    107. 

  107. this information\. The command will exit with a 0 exit code if no
    108. 

  108. vulnerabilities were found\.
    109. 

  109. .P
    110. 

  110. You can also have npm automatically fix the vulnerabilities by running \fBnpm
    111. 

  111. audit fix\fP\|\. Note that some vulnerabilities cannot be fixed automatically and
    112. 

  112. will require manual intervention or review\. Also note that since \fBnpm audit fix\fP
    113. 

  113. runs a full\-fledged \fBnpm install\fP under the hood, all configs that apply to the
    114. 

  114. installer will also apply to \fBnpm install\fP \-\- so things like \fBnpm audit fix
    115. 

  115. \-\-package\-lock\-only\fP will work as expected\.
    116. 

  116. .P
    117. 

  117. By default, the audit command will exit with a non\-zero code if any vulnerability
    118. 

  118. is found\. It may be useful in CI environments to include the \fB\-\-audit\-level\fP parameter
    119. 

  119. to specify the minimum vulnerability level that will cause the command to fail\. This
    120. 

  120. option does not filter the report output, it simply changes the command's failure
    121. 

  121. threshold\.
    122. 

  122. .SS Content Submitted
    123. 

  123. .RS 0
    124. 

  124. .IP \(bu 2
    125. 

  125. npm_version
    126. 

  126. .IP \(bu 2
    127. 

  127. node_version
    128. 

  128. .IP \(bu 2
    129. 

  129. platform
    130. 

  130. .IP \(bu 2
    131. 

  131. node_env
    132. 

  132. .IP \(bu 2
    133. 

  133. A scrubbed version of your package\-lock\.json or npm\-shrinkwrap\.json
    134. 

  134. 

  135. .RE
    136. 

  136. .SS Scrubbing
    137. 

  137. .P
    138. 

  138. In order to ensure that potentially sensitive information is not included in
    139. 

  139. the audit data bundle, some dependencies may have their names (and sometimes
    140. 

  140. versions) replaced with opaque non\-reversible identifiers\.  It is done for
    141. 

  141. the following dependency types:
    142. 

  142. .RS 0
    143. 

  143. .IP \(bu 2
    144. 

  144. Any module referencing a scope that is configured for a non\-default
    145. 

  145. registry has its name scrubbed\.  (That is, a scope you did a \fBnpm login \-\-scope=@ourscope\fP for\.)
    146. 

  146. .IP \(bu 2
    147. 

  147. All git dependencies have their names and specifiers scrubbed\.
    148. 

  148. .IP \(bu 2
    149. 

  149. All remote tarball dependencies have their names and specifiers scrubbed\.
    150. 

  150. .IP \(bu 2
    151. 

  151. All local directory and tarball dependencies have their names and specifiers scrubbed\.
    152. 

  152. 

  153. .RE
    154. 

  154. .P
    155. 

  155. The non\-reversible identifiers are a sha256 of a session\-specific UUID and the
    156. 

  156. value being replaced, ensuring a consistent value within the payload that is
    157. 

  157. different between runs\.
    158. 

  158. .SS Exit Code
    159. 

  159. .P
    160. 

  160. The \fBnpm audit\fP command will exit with a 0 exit code if no vulnerabilities were found\.
    161. 

  161. .P
    162. 

  162. If vulnerabilities were found the exit code will depend on the \fBaudit\-level\fP
    163. 

  163. configuration setting\.
    164. 

  164. .SS See Also
    165. 

  165. .RS 0
    166. 

  166. .IP \(bu 2
    167. 

  167. npm help install
    168. 

  168. .IP \(bu 2
    169. 

  169. npm help package\-locks
    170. 

  170. .IP \(bu 2
    171. 

  171. npm help config
    172. 

  172. 

  173. .RE
    174.