tra-analysis/website/node_modules/npm/man/man1/npm-audit.1
2019-01-06 13:14:45 -06:00

152 lines
3.5 KiB
Groff

.TH "NPM\-AUDIT" "1" "December 2018" "" ""
.SH "NAME"
\fBnpm-audit\fR \- Run a security audit
.SH SYNOPSIS
.P
.RS 2
.nf
npm audit [\-\-json|\-\-parseable]
npm audit fix [\-\-force|\-\-package\-lock\-only|\-\-dry\-run|\-\-production|\-\-only=dev]
.fi
.RE
.SH EXAMPLES
.P
Scan your project for vulnerabilities and automatically install any compatible
updates to vulnerable dependencies:
.P
.RS 2
.nf
$ npm audit fix
.fi
.RE
.P
Run \fBaudit fix\fP without modifying \fBnode_modules\fP, but still updating the
pkglock:
.P
.RS 2
.nf
$ npm audit fix \-\-package\-lock\-only
.fi
.RE
.P
Skip updating \fBdevDependencies\fP:
.P
.RS 2
.nf
$ npm audit fix \-\-only=prod
.fi
.RE
.P
Have \fBaudit fix\fP install semver\-major updates to toplevel dependencies, not just
semver\-compatible ones:
.P
.RS 2
.nf
$ npm audit fix \-\-force
.fi
.RE
.P
Do a dry run to get an idea of what \fBaudit fix\fP will do, and \fIalso\fR output
install information in JSON format:
.P
.RS 2
.nf
$ npm audit fix \-\-dry\-run \-\-json
.fi
.RE
.P
Scan your project for vulnerabilities and just show the details, without fixing
anything:
.P
.RS 2
.nf
$ npm audit
.fi
.RE
.P
Get the detailed audit report in JSON format:
.P
.RS 2
.nf
$ npm audit \-\-json
.fi
.RE
.P
Get the detailed audit report in plain text result, separated by tab characters, allowing for
future reuse in scripting or command line post processing, like for example, selecting
some of the columns printed:
.P
.RS 2
.nf
$ npm audit \-\-parseable
.fi
.RE
.P
To parse columns, you can use for example \fBawk\fP, and just print some of them:
.P
.RS 2
.nf
$ npm audit \-\-parseable | awk \-F $'\\t' '{print $1,$4}'
.fi
.RE
.SH DESCRIPTION
.P
The audit command submits a description of the dependencies configured in
your project to your default registry and asks for a report of known
vulnerabilities\. The report returned includes instructions on how to act on
this information\.
.P
You can also have npm automatically fix the vulnerabilities by running \fBnpm
audit fix\fP\|\. Note that some vulnerabilities cannot be fixed automatically and
will require manual intervention or review\. Also note that since \fBnpm audit fix\fP
runs a full\-fledged \fBnpm install\fP under the hood, all configs that apply to the
installer will also apply to \fBnpm install\fP \-\- so things like \fBnpm audit fix
\-\-package\-lock\-only\fP will work as expected\.
.SH CONTENT SUBMITTED
.RS 0
.IP \(bu 2
npm_version
.IP \(bu 2
node_version
.IP \(bu 2
platform
.IP \(bu 2
node_env
.IP \(bu 2
A scrubbed version of your package\-lock\.json or npm\-shrinkwrap\.json
.RE
.SS SCRUBBING
.P
In order to ensure that potentially sensitive information is not included in
the audit data bundle, some dependencies may have their names (and sometimes
versions) replaced with opaque non\-reversible identifiers\. It is done for
the following dependency types:
.RS 0
.IP \(bu 2
Any module referencing a scope that is configured for a non\-default
registry has its name scrubbed\. (That is, a scope you did a \fBnpm login \-\-scope=@ourscope\fP for\.)
.IP \(bu 2
All git dependencies have their names and specifiers scrubbed\.
.IP \(bu 2
All remote tarball dependencies have their names and specifiers scrubbed\.
.IP \(bu 2
All local directory and tarball dependencies have their names and specifiers scrubbed\.
.RE
.P
The non\-reversible identifiers are a sha256 of a session\-specific UUID and the
value being replaced, ensuring a consistent value within the payload that is
different between runs\.
.SH SEE ALSO
.RS 0
.IP \(bu 2
npm help install
.IP \(bu 2
npm help 5 package\-locks
.IP \(bu 2
npm help 7 config
.RE