With npm@6, support was added to protect your code from vulnerabilities in packages that you use. You may have noticed output identifying vulnerabilities when you run
The npm project now maintains advisories, which are used by
npm audit to sniff out known vulnerabilities for you. It also provides fixes, if available. This is an impressive feature to help us all keep code as safe as we can in a world of seemingly innumerable package dependencies.
npm audit to work for you 💪
Security starts at home. Making
npm audit part of your local development process is highly recommended. See the Auditing package dependencies for security vulnerabilities documentation from npmjs.com for an introduction to
npm audit and fixing vulnerabilities.
npm audit produces a report of known vulnerabilities, and if available, patches to apply to resolve the vulnerabilities.
The first time you audit a project, you're likely to see quite a few vulnerabilities identified. Don't despair — you can narrow down what needs review by filtering out dev dependencies that don't make it into your production codebase with the
--production flag. This works with
npm audit and
npm audit fix.
$ npm audit fix --production
The above will install compatible updates to vulnerable dependencies if available, skipping devDependencies. After applying the fixes, run your tests to make sure nothing broke, then push your changes. 🙌
If you're working with others on the project, you might need to discuss some of the updates before you make them. Having a pull request with proposed changes summarized for discussion would help. Checking if the pull request branch breaks your tests would also be useful.
We created the npm Vulnerability Scanner to address this problem for ourselves and for anyone who wants
npm audit fix as an automated service in the cloud.
Continuous scan 🔍
The npm Vulnerability Scanner runs
npm audit on every push to a repository. It adds a GitHub Check run to each commit with the report from the audit, with advisories linked directly in the check run summary to help you review.
You can set the minimum severity level (Low, Moderate, High or Critical) that causes npm Vulnerability Scanner to add a failed check — for example, you may only want to fail the check if a Critical vulnerability is found.
As mentioned earlier, you'll likely want to exclude dev dependencies from your audits. There's a flag for that as well in the configuration for npm Vulnerability Scanner.
Automatic fixes as pull requests 🤖
To get fixes for all vulnerabilities with a patch available, enable fixes by choosing how you want them applied. Fixes can be raised as a pull request or directly committed to the pushed branch.
Fix pull requests contain a summary and the full
npm audit report for quick review.
See all of the changes to
package-lock.json for review and discussion.
If your CI builds are set up to run on feature branches, you'll see if any of the updates break your build.
If your CI doesn't build feature branches, feel free to use our npm Build skill that runs your chosen npm script on every push. It's a great way to test these fixes from
Stay safe 🔒
Making audits automatic and packaging up fixes in tidy pull requests make it easier to keep your codebase safer while staying sane. The npm Vulnerability Scanner is an easy way to do that without having to run anything yourself.
Get the knowledge and inspiration you need to do your best work and deliver great software.