Auditing package dependencies for security vulnerabilities | npm Docs (2024)

Table of Contents
About security audits Running a security audit with npm audit Resolving EAUDITNOPJSON and EAUDITNOLOCK errors Reviewing and acting on the security audit report Security vulnerabilities found with suggested updates Security vulnerabilities found requiring manual review No security vulnerabilities found Turning off npm audit on package installation Installing a single package Installing all packages FAQs
Table of contents

About security audits

A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package's users by enabling you to find and fix known vulnerabilities in dependencies that could cause data loss, service outages, unauthorized access to sensitive information, or other issues.

Running a security audit with npm audit

Note: The npm audit command is available in npm@6. To upgrade, run npm install npm@latest -g.

The npm audit command submits a description of the dependencies configured in your package to your default registry and asks for a report of known vulnerabilities. npm audit checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.

npm audit automatically runs when you install a package with npm install. You can also run npm audit manually on your locally installed packages to conduct a security audit of the package and produce a report of dependency vulnerabilities and, if available, suggested patches.

See Also
Port 137 (tcp/udp)Maximiser la Sécurité de Votre Réseau: Désactivation Efficace de NetBIOSThe deepest land-locked and protected port in India is:A. MormugaoB. VisakhapatnamC. MumbaiD. CochinHandling Open Ports Secure and Finding Vulnerabilities

  1. On the command line, navigate to your package directory by typing cd path/to/your-package-name and pressing Enter.
  2. Ensure your package contains package.json and package-lock.json files.
  3. Type npm audit and press Enter.
  4. Review the audit report and run recommended commands or investigate further if needed.

Resolving EAUDITNOPJSON and EAUDITNOLOCK errors

npm audit requires packages to have package.json and package-lock.json files.

  • If you get an EAUDITNOPJSON error, create a package.json file by following the steps in "Creating a package.json file".
  • If you get an EAUDITNOLOCK error, make sure your package has a package.json file, then create the package lock file by running npm i --package-lock-only.

Reviewing and acting on the security audit report

Running npm audit will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, path, and other information, and, if available, commands to apply patches to resolve vulnerabilities. For more information on the fields in the audit report, see "About audit reports"

Security vulnerabilities found with suggested updates

If security vulnerabilities are found and updates are available, you can either:

  • Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
  • Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
Auditing package dependencies for security vulnerabilities | npm Docs (1)

SEMVER warnings

If the recommended action is a potential breaking change (semantic version major change), it will be followed by a SEMVER WARNING that says "SEMVER WARNING: Recommended action is a potentially breaking change". If the package with the vulnerability has changed its API, you may need to make additional changes to your package's code.

Security vulnerabilities found requiring manual review

If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.

Auditing package dependencies for security vulnerabilities | npm Docs (2)

To address the vulnerability, you can

See Also
The dangers of open port 139 | TechTarget

  • Check for mitigating factors
  • Update dependent packages if a fix exists
  • Fix the vulnerability
  • Open an issue in the package or dependent package issue tracker

Check for mitigating factors

Review the security advisory in the "More info" field for mitigating factors that may allow you to continue using the package with the vulnerability in limited cases. For example, the vulnerability may only exist when the code is used on specific operating systems, or when a specific function is called.

Update dependent packages if a fix exists

If a fix exists but packages that depend on the package with the vulnerability have not been updated to include the fixed version, you may want to open a pull or merge request on the dependent package repository to use the fixed version.

  1. To find the package that must be updated, check the "Path" field for the location of the package with the vulnerability, then check for the package that depends on it. For example, if the path to the vulnerability is @package-name > dependent-package > package-with-vulnerability, you will need to update dependent-package.
  2. On the npm public registry, find the dependent package and navigate to its repository. For more information on finding packages, see "Searching for and choosing packages to download".
  3. In the dependent package repository, open a pull or merge request to update the version of the vulnerable package to a version with a fix.
  4. Once the pull or merge request is merged and the package has been updated in the npm public registry, update your copy of the package with npm update.

Fix the vulnerability

If a fix does not exist, you may want to suggest changes that address the vulnerability to the package maintainer in a pull or merge request on the package repository.

  1. Check the "Path" field for the location of the vulnerability.
  2. On the npm public registry, find the package with the vulnerability. For more information on finding packages, see "Searching for and choosing packages to download".
  3. In the package repository, open a pull or merge request to make the fix on the package repository.
  4. Once the fix is merged and the package has been updated in the npm public registry, update your copy of the package that depends on the package with the fix.

Open an issue in the package or dependent package issue tracker

If you do not want to fix the vulnerability or update the dependent package yourself, open an issue in the package or dependent package issue tracker.

  1. On the npm public registry, find the package with the vulnerability or the dependent package that needs an update. For more information on finding packages, see "Searching for and choosing packages to download".
  2. In the package or dependent package issue tracker, open an issue and include information from the audit report, including the vulnerability report from the "More info" field.

No security vulnerabilities found

If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package dependency tree. Since the advisory database can be updated at any time, we recommend regularly running npm audit manually, or adding npm audit to your continuous integration process.

Auditing package dependencies for security vulnerabilities | npm Docs (3)

Turning off npm audit on package installation

Installing a single package

To turn off npm audit when installing a single package, use the --no-audit flag:

npm install example-package-name --no-audit

For more information, see the npm-install command.

Installing all packages

To turn off npm audit when installing all packages, set the audit setting to false in your user and global npmrc config files:

npm set audit false

For more information, see the npm-config management command and the npm-config audit setting.

Auditing package dependencies for security vulnerabilities | npm Docs (2024)

FAQs

Which is the easiest way to audit the packages your project depends on for known vulnerabilities? ›

The NPM audit command can evaluate each version of the dependencies against known vulnerable versions to determine whether the current dependencies used within the project are vulnerable. It also allows you to fix most findings from the NPM audit command automatically.

Read On
How to check npm package vulnerabilities? ›

Running a security audit with npm audit
  1. On the command line, navigate to your package directory by typing cd path/to/your-package-name and pressing Enter.
  2. Ensure your package contains package. ...
  3. Type npm audit and press Enter.
  4. Review the audit report and run recommended commands or investigate further if needed.
Oct 23, 2023

Discover More Details
Is it safe to run npm audit fix -- force? ›

As suggested npm audit –force will upgrade dependencies with issues to major version. Hence, this may cause breaking changes in the code. Therefore, it is not advisable to apply this command without taking a closer look. Try running npm update command.

Continue Reading
How do you ensure that your dependencies are safe? ›

1 Scan your dependencies regularly

One of the first steps to secure your web application dependencies is to scan them regularly for known vulnerabilities and issues. You can use tools like npm audit, Snyk, or Dependabot to automate this process and alert you of any problems.

See Details
What is the best approach to vulnerability management? ›

Vulnerability management best practices and recommendations. The essential vulnerability management best practices that every organization should start with are: Discover, prioritize, remediate, validate, report. Establish a vulnerability management program and put it into use.

Find Out More
How to resolve dependency issues in npm? ›

5) Keep dependencies updated: Periodically run npm outdated or yarn outdated to check for updates. Use npm update or yarn upgrade to update dependencies. Use npm-check-updates to see which dependencies have updates available and update package.

Tell Me More
How to fix security vulnerabilities in npm? ›

To mitigate vulnerabilities related to target attacks in npm:
  1. Use npm audit to scan your project for known vulnerabilities and take action to fix them.
  2. Use a security scanner or other tool to regularly check your project dependencies for known vulnerabilities.
Jan 22, 2023

Show Me More
What is the main difference between npm audit and npm audit fix? ›

The npm audit signatures command verifies the registry signatures of the packages you have downloaded. The npm audit fix command attempts to automatically fix any vulnerabilities detected in the project and its dependencies.

Explore More
What are vulnerabilities from dependencies? ›

The vulnerable dependency is found during one of the following situation in which the provider is not aware of the vulnerability: Via the discovery of a full disclosure post on the Internet. During a penetration test.

Continue Reading
How to check dependencies in npm? ›

Just write npm ls packageName and you'll see a set of files that are dependent on the package. You can also use npm explain packageName to understand why a specific package is needed and if it depends on any other package in your project.

Show Me More

What is the alternative to npm audit? ›

Use npx aud instead of npm audit , whether you have a lockfile or not! It's a great idea to run npm audit in CI; it ensures that you don't unknowingly have vulnerabilities in your dep graph. Unfortunately, it doesn't work without a lockfile 😿 and only apps should have lockfiles. It also requires npm v6 or above.

Read The Full Story
How to update dependencies using npm? ›

To update a specific dependency, you can use the command "npm update package-name", where package-name is the name of the dependency you want to update. To update all the dependencies in your package. json file to their latest versions, you can use the command "npm update".

See Details
How to check integrity of npm package? ›

To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.

Get More Info Here
What are the risks of npm? ›

Nonetheless, this convenience doesn't come without its share of security concerns. There's an escalating trend of malicious actors targeting NPM packages, posing a threat to software project integrity and potentially exposing user data to compromise.

Continue Reading
In which approach a scan is performed to detect system for known vulnerabilities? ›

A vulnerability scan is an automated, high-level test that looks for and reports potential known vulnerabilities. For example, some vulnerability scans are able to identify over 50,000 unique external and/or internal weaknesses (i.e., different ways or methods that hackers can exploit your network).

View More
Which type of tool can be used to detect vulnerabilities? ›

A vulnerability scanner enables organizations to monitor their networks, systems, and applications for security vulnerabilities. Most security teams utilize vulnerability scanners to bring to light security vulnerabilities in their computer systems, networks, applications and procedures.

View Details
What tool can be used to look for vulnerabilities in a system? ›

Aircrack is a vulnerability detection tool is popularly used to assess Wi-Fi network security. Aircrack tools are used in the network auditing process as well. Aircrack tool supports multiple operating systems such as Solaris, NetBSD, Windows, and more.

See More
What are the methods of identifying vulnerabilities in software? ›

Penetration testing

It involves authorised users (sometimes an external party or organisation) who probe the network for potential weaknesses and attempt to exploit them. Software. Any parts of a computer system that aren't physical.

Learn More
Top Articles
The Pros and Cons of Cryptocurrency Margin Trading - B2Broker
What is 1:100 Leverage Meaning? | Forex Education
Lesly Center Tiraj Rapid
Gas prices are soaring—here’s how save on gas with a Costco membership
Cherry Creek, Denver: What to See + Where to Eat, Drink & Stay
8 Fabulous Reasons To Visit Denver’s Cherry Creek Neighborhood
Everything You Need To know About Six Flags St. Louis - Best in the Lou
Six Flags St. Louis reviews
Tstv San Jose
NEW for 2024! Men’s Cotton Y Front Briefs Retro Vintage Style • $13.09
3 Trade Destinations for Nets’ Cameron Johnson in 2024 NBA Offseason
The Pulse: An MLB trade deadline cheat sheet
Latest Posts
5 Ways to Deal with Passive Aggressive People
Leverage in The Stock Market | What It Means And How To Use It
Article information

Author: Neely Ledner

Last Updated:

Views: 6158

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Neely Ledner

Birthday: 1998-06-09

Address: 443 Barrows Terrace, New Jodyberg, CO 57462-5329

Phone: +2433516856029

Job: Central Legal Facilitator

Hobby: Backpacking, Jogging, Magic, Driving, Macrame, Embroidery, Foraging

Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.