mirror of
https://github.com/titanscouting/tra-analysis.git
synced 2024-11-13 22:56:18 +00:00
152 lines
3.5 KiB
Groff
152 lines
3.5 KiB
Groff
|
.TH "NPM\-AUDIT" "1" "December 2018" "" ""
|
||
|
.SH "NAME"
|
||
|
\fBnpm-audit\fR \- Run a security audit
|
||
|
.SH SYNOPSIS
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
npm audit [\-\-json|\-\-parseable]
|
||
|
npm audit fix [\-\-force|\-\-package\-lock\-only|\-\-dry\-run|\-\-production|\-\-only=dev]
|
||
|
.fi
|
||
|
.RE
|
||
|
.SH EXAMPLES
|
||
|
.P
|
||
|
Scan your project for vulnerabilities and automatically install any compatible
|
||
|
updates to vulnerable dependencies:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit fix
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
Run \fBaudit fix\fP without modifying \fBnode_modules\fP, but still updating the
|
||
|
pkglock:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit fix \-\-package\-lock\-only
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
Skip updating \fBdevDependencies\fP:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit fix \-\-only=prod
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
Have \fBaudit fix\fP install semver\-major updates to toplevel dependencies, not just
|
||
|
semver\-compatible ones:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit fix \-\-force
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
Do a dry run to get an idea of what \fBaudit fix\fP will do, and \fIalso\fR output
|
||
|
install information in JSON format:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit fix \-\-dry\-run \-\-json
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
Scan your project for vulnerabilities and just show the details, without fixing
|
||
|
anything:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
Get the detailed audit report in JSON format:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit \-\-json
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
Get the detailed audit report in plain text result, separated by tab characters, allowing for
|
||
|
future reuse in scripting or command line post processing, like for example, selecting
|
||
|
some of the columns printed:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit \-\-parseable
|
||
|
.fi
|
||
|
.RE
|
||
|
.P
|
||
|
To parse columns, you can use for example \fBawk\fP, and just print some of them:
|
||
|
.P
|
||
|
.RS 2
|
||
|
.nf
|
||
|
$ npm audit \-\-parseable | awk \-F $'\\t' '{print $1,$4}'
|
||
|
.fi
|
||
|
.RE
|
||
|
.SH DESCRIPTION
|
||
|
.P
|
||
|
The audit command submits a description of the dependencies configured in
|
||
|
your project to your default registry and asks for a report of known
|
||
|
vulnerabilities\. The report returned includes instructions on how to act on
|
||
|
this information\.
|
||
|
.P
|
||
|
You can also have npm automatically fix the vulnerabilities by running \fBnpm
|
||
|
audit fix\fP\|\. Note that some vulnerabilities cannot be fixed automatically and
|
||
|
will require manual intervention or review\. Also note that since \fBnpm audit fix\fP
|
||
|
runs a full\-fledged \fBnpm install\fP under the hood, all configs that apply to the
|
||
|
installer will also apply to \fBnpm install\fP \-\- so things like \fBnpm audit fix
|
||
|
\-\-package\-lock\-only\fP will work as expected\.
|
||
|
.SH CONTENT SUBMITTED
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
npm_version
|
||
|
.IP \(bu 2
|
||
|
node_version
|
||
|
.IP \(bu 2
|
||
|
platform
|
||
|
.IP \(bu 2
|
||
|
node_env
|
||
|
.IP \(bu 2
|
||
|
A scrubbed version of your package\-lock\.json or npm\-shrinkwrap\.json
|
||
|
|
||
|
.RE
|
||
|
.SS SCRUBBING
|
||
|
.P
|
||
|
In order to ensure that potentially sensitive information is not included in
|
||
|
the audit data bundle, some dependencies may have their names (and sometimes
|
||
|
versions) replaced with opaque non\-reversible identifiers\. It is done for
|
||
|
the following dependency types:
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
Any module referencing a scope that is configured for a non\-default
|
||
|
registry has its name scrubbed\. (That is, a scope you did a \fBnpm login \-\-scope=@ourscope\fP for\.)
|
||
|
.IP \(bu 2
|
||
|
All git dependencies have their names and specifiers scrubbed\.
|
||
|
.IP \(bu 2
|
||
|
All remote tarball dependencies have their names and specifiers scrubbed\.
|
||
|
.IP \(bu 2
|
||
|
All local directory and tarball dependencies have their names and specifiers scrubbed\.
|
||
|
|
||
|
.RE
|
||
|
.P
|
||
|
The non\-reversible identifiers are a sha256 of a session\-specific UUID and the
|
||
|
value being replaced, ensuring a consistent value within the payload that is
|
||
|
different between runs\.
|
||
|
.SH SEE ALSO
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
npm help install
|
||
|
.IP \(bu 2
|
||
|
npm help 5 package\-locks
|
||
|
.IP \(bu 2
|
||
|
npm help 7 config
|
||
|
|
||
|
.RE
|
||
|
|