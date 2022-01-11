Are your
npm auditresults overwhelming you? This library helps you resolve them step by step.
It can be really overwhelming to stare at an npm audit report with 50+ vulnerabilities. Where do you start?
npm-audit-helper helps answer that question, by providing smaller sets of output and a few hints. Example output:
found 155 vulnerabilities (60 low, 76 moderate, 18 high, 1 critical) in 22715 scanned packages
3 vulnerabilities require manual review. See the full report for details.
=== A little bit of help ===
Where to start:
- run `npm audit fix` to automatically fix 13 issues. These should all be non-breaking upgrades, so don't stress.
- Resolve the 3 high severity issues above and run this command again to move to the next severity.
- The most problematic dependency seems to be example-lib with 18 issues that need your attention.
All you need to do is run
npm audit --json and pipe the output to
npm-audit-helper. There are a few different installation options:
npm audit --json | npx npm-audit-helper
npm install -g npm-audit-helper
npm audit --json | npm-audit-helper
(1) Install:
npm install --save-dev npm-audit-helper
(2) Create task in
package.json:
{
"scripts": {
// ...
"vuln": "npm audit --json | npm-audit-helper"
}
}
(3) Run:
npm run vuln
This last approach is great for setting up a
prepush hook with a tool like
husky.
npm-audit-helper will return a non-zero exit code if vulnerabilities are found.
|Flag
|Description
|Default
--exit-zero
|Return a zero exit code even when there are vulnerabilities. Useful while you're working your way down to 0 vulnerabilities
false
--prod-only
|Only available for npm < 7. Filter out vulnerability information for
devDependencies
false
To filter our dev dependencies on npm 7+, pass the
--only=prod option directly to npm:
npm audit --json --only=prod | npx npm-audit-helper
npm-audit-helper requires
npm >=
6.1.0 because it relies on the
--json option.
npm install -g npm to upgrade.
npm-audit-helper won't work if it's piped invalid JSON, so you should check the output of
npm audit --json if you have any trouble. A likely cause of invalid JSON is additional
npm logging, so check the
loglevel option in your
.npmrc or
~/.npmrc file.
npm audit hints
npm audit to ignore issues of a certain severity (but only for its exit code) by setting the
audit-level option.
npm audit fix to only fix production dependencies with
npm audit fix --only=prod.
npm audit resolve built into
npm.
I wrote this library while helping my company migrate from using the Node Security Project, which will be decommissioned soon. I found that
npm audit found many more vulnerabilities than our
nsp output used to, which meant that I needed a little help to see which issues to focus on first.
MIT