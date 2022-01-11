aud

Use npx aud instead of npm audit , whether you have a lockfile or not!

It's a great idea to run npm audit in CI; it ensures that you don't unknowingly have vulnerabilities in your dep graph.

Unfortunately, it doesn't work without a lockfile 😿 and only apps should have lockfiles. It also requires npm v6 or above.

Now, instead of npm audit , you can run npx aud ! If your repo has a lockfile, it will just run npm audit ; if it does not, it will use npm-lockfile to copy your package.json and your currently configured audit level ( npm config get audit-level ) to a temp dir that has the proper version of npm installed, it will use npm install --package-lock-only to create a temporary lockfile, and it will run npm audit there. On exit, all the temp dirs will get cleaned up.