1--- 2section: cli-commands 3title: npm-audit 4description: Run a security audit 5--- 6 7# npm-audit(1) 8 9## Run a security audit 10 11### Synopsis 12 13```bash 14npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)] 15npm audit fix [--force|--package-lock-only|--dry-run] 16 17common options: [--production] [--only=(dev|prod)] 18``` 19 20### Examples 21 22Scan your project for vulnerabilities and automatically install any compatible 23updates to vulnerable dependencies: 24```bash 25$ npm audit fix 26``` 27 28Run `audit fix` without modifying `node_modules`, but still updating the 29pkglock: 30```bash 31$ npm audit fix --package-lock-only 32``` 33 34Skip updating `devDependencies`: 35```bash 36$ npm audit fix --only=prod 37``` 38 39Have `audit fix` install semver-major updates to toplevel dependencies, not just 40semver-compatible ones: 41```bash 42$ npm audit fix --force 43``` 44 45Do a dry run to get an idea of what `audit fix` will do, and _also_ output 46install information in JSON format: 47```bash 48$ npm audit fix --dry-run --json 49``` 50 51Scan your project for vulnerabilities and just show the details, without fixing 52anything: 53```bash 54$ npm audit 55``` 56 57Get the detailed audit report in JSON format: 58```bash 59$ npm audit --json 60``` 61 62Get the detailed audit report in plain text result, separated by tab characters, allowing for 63future reuse in scripting or command line post processing, like for example, selecting 64some of the columns printed: 65```bash 66$ npm audit --parseable 67``` 68 69To parse columns, you can use for example `awk`, and just print some of them: 70```bash 71$ npm audit --parseable | awk -F $'\t' '{print $1,$4}' 72``` 73 74Fail an audit only if the results include a vulnerability with a level of moderate or higher: 75```bash 76$ npm audit --audit-level=moderate 77``` 78 79### Description 80 81The audit command submits a description of the dependencies configured in 82your project to your default registry and asks for a report of known 83vulnerabilities. The report returned includes instructions on how to act on 84this information. The command will exit with a 0 exit code if no 85vulnerabilities were found. 86 87You can also have npm automatically fix the vulnerabilities by running `npm 88audit fix`. Note that some vulnerabilities cannot be fixed automatically and 89will require manual intervention or review. Also note that since `npm audit fix` 90runs a full-fledged `npm install` under the hood, all configs that apply to the 91installer will also apply to `npm install` -- so things like `npm audit fix 92--package-lock-only` will work as expected. 93 94By default, the audit command will exit with a non-zero code if any vulnerability 95is found. It may be useful in CI environments to include the `--audit-level` parameter 96to specify the minimum vulnerability level that will cause the command to fail. This 97option does not filter the report output, it simply changes the command's failure 98threshold. 99 100### Content Submitted 101 102* npm_version 103* node_version 104* platform 105* node_env 106* A scrubbed version of your package-lock.json or npm-shrinkwrap.json 107 108#### Scrubbing 109 110In order to ensure that potentially sensitive information is not included in 111the audit data bundle, some dependencies may have their names (and sometimes 112versions) replaced with opaque non-reversible identifiers. It is done for 113the following dependency types: 114 115* Any module referencing a scope that is configured for a non-default 116 registry has its name scrubbed. (That is, a scope you did a `npm login --scope=@ourscope` for.) 117* All git dependencies have their names and specifiers scrubbed. 118* All remote tarball dependencies have their names and specifiers scrubbed. 119* All local directory and tarball dependencies have their names and specifiers scrubbed. 120 121The non-reversible identifiers are a sha256 of a session-specific UUID and the 122value being replaced, ensuring a consistent value within the payload that is 123different between runs. 124 125### Exit Code 126 127The `npm audit` command will exit with a 0 exit code if no vulnerabilities were found. 128 129If vulnerabilities were found the exit code will depend on the `audit-level` 130configuration setting. 131 132### See Also 133 134* [npm install](/cli-commands/npm-install) 135* [package-locks](/configuring-npm/package-locks) 136* [config](/using-npm/config) 137