Security Audits for Packages Dependencies
Security audits help you protect your package’s users by enabling you to find and fix known vulnerabilities in dependencies that could cause data loss, service outages, unauthorized access to sensitive information, or other issues.
You only need run npm audit to launch this security audits. This command provided by npm (Node Package Manager) to help you identify and fix security vulnerabilities in your Node.js project. It will be checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.
With npm audit you will get a report of security vulnerabilities with the affected package name, vulnerability severity and description, path, and other information, and, if available, commands to apply patches to resolve vulnerabilities.
Suggested Updates
if the update of packages are available, you can either:
- Run the
npm audit fixsubcommand to automatically install compatible updates to vulnerable dependencies. - Run the recommended commands individually to install updates to vulnerable dependencies.
if the recommended action is a potential breaking change (semantic version major change), it will be followed by a
SEMVER WARNINGthat says "SEMVER WARNING: Recommended action is a potentially breaking change". If the package with the vulnerability has changed its API, you may need to make additional changes to your package's code.
No Patches Are Available
If security vulnerabilities are found, but no patches are available, you can :
- Review the security advisory in the “More info” field for mitigating factors that may allow you to continue using the package with the vulnerability in limited cases.
- Remove the package or parent package from your project and look for alternatives
No Vulnerabilities Found
This means that packages with known vulnerabilities were not found in your package dependency tree. Since the advisory database can be updated at any time, we recommend regularly running npm audit in your development workflow.
