blob: 3bb13259d7746ad86fc0d0abf9a634dccc86f4f8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
npm-audit(1) -- Run a security audit
====================================
## SYNOPSIS
npm audit [--json]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
## EXAMPLES
Scan your project for vulnerabilities and automatically install any compatible
updates to vulnerable dependencies:
```
$ npm audit fix
```
Run `audit fix` without modifying `node_modules`, but still updating the
pkglock:
```
$ npm audit fix --package-lock-only
```
Skip updating `devDependencies`:
```
$ npm audit fix --only=prod
```
Have `audit fix` install semver-major updates to toplevel dependencies, not just
semver-compatible ones:
```
$ npm audit fix --force
```
Do a dry run to get an idea of what `audit fix` will do, and _also_ output
install information in JSON format:
```
$ npm audit fix --dry-run --json
```
Scan your project for vulnerabilities and just show the details, without fixing
anything:
```
$ npm audit
```
Get the detailed audit report in JSON format:
```
$ npm audit --json
```
## DESCRIPTION
The audit command submits a description of the dependencies configured in
your project to your default registry and asks for a report of known
vulnerabilities. The report returned includes instructions on how to act on
this information.
You can also have npm automatically fix the vulnerabilities by running `npm
audit fix`. Note that some vulnerabilities cannot be fixed automatically and
will require manual intervention or review. Also note that since `npm audit fix`
runs a full-fledged `npm install` under the hood, all configs that apply to the
installer will also apply to `npm install` -- so things like `npm audit fix
--package-lock-only` will work as expected.
## CONTENT SUBMITTED
* npm_version
* node_version
* platform
* node_env
* A scrubbed version of your package-lock.json or npm-shrinkwrap.json
### SCRUBBING
In order to ensure that potentially sensitive information is not included in
the audit data bundle, some dependencies may have their names (and sometimes
versions) replaced with opaque non-reversible identifiers. It is done for
the following dependency types:
* Any module referencing a scope that is configured for a non-default
registry has its name scrubbed. (That is, a scope you did a `npm login --scope=@ourscope` for.)
* All git dependencies have their names and specifiers scrubbed.
* All remote tarball dependencies have their names and specifiers scrubbed.
* All local directory and tarball dependencies have their names and specifiers scrubbed.
The non-reversible identifiers are a sha256 of a session-specific UUID and the
value being replaced, ensuring a consistent value within the payload that is
different between runs.
## SEE ALSO
* npm-install(1)
* package-locks(5)
* config(7)
|
