mirror of
https://github.com/titanscouting/tra-analysis.git
synced 2024-11-14 15:16:18 +00:00
107 lines
3.1 KiB
Markdown
107 lines
3.1 KiB
Markdown
npm-audit(1) -- Run a security audit
|
|
====================================
|
|
|
|
## SYNOPSIS
|
|
|
|
npm audit [--json|--parseable]
|
|
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
|
|
|
|
## EXAMPLES
|
|
|
|
Scan your project for vulnerabilities and automatically install any compatible
|
|
updates to vulnerable dependencies:
|
|
```
|
|
$ npm audit fix
|
|
```
|
|
|
|
Run `audit fix` without modifying `node_modules`, but still updating the
|
|
pkglock:
|
|
```
|
|
$ npm audit fix --package-lock-only
|
|
```
|
|
|
|
Skip updating `devDependencies`:
|
|
```
|
|
$ npm audit fix --only=prod
|
|
```
|
|
|
|
Have `audit fix` install semver-major updates to toplevel dependencies, not just
|
|
semver-compatible ones:
|
|
```
|
|
$ npm audit fix --force
|
|
```
|
|
|
|
Do a dry run to get an idea of what `audit fix` will do, and _also_ output
|
|
install information in JSON format:
|
|
```
|
|
$ npm audit fix --dry-run --json
|
|
```
|
|
|
|
Scan your project for vulnerabilities and just show the details, without fixing
|
|
anything:
|
|
```
|
|
$ npm audit
|
|
```
|
|
|
|
Get the detailed audit report in JSON format:
|
|
```
|
|
$ npm audit --json
|
|
```
|
|
|
|
Get the detailed audit report in plain text result, separated by tab characters, allowing for
|
|
future reuse in scripting or command line post processing, like for example, selecting
|
|
some of the columns printed:
|
|
```
|
|
$ npm audit --parseable
|
|
```
|
|
|
|
To parse columns, you can use for example `awk`, and just print some of them:
|
|
```
|
|
$ npm audit --parseable | awk -F $'\t' '{print $1,$4}'
|
|
```
|
|
|
|
## DESCRIPTION
|
|
|
|
The audit command submits a description of the dependencies configured in
|
|
your project to your default registry and asks for a report of known
|
|
vulnerabilities. The report returned includes instructions on how to act on
|
|
this information.
|
|
|
|
You can also have npm automatically fix the vulnerabilities by running `npm
|
|
audit fix`. Note that some vulnerabilities cannot be fixed automatically and
|
|
will require manual intervention or review. Also note that since `npm audit fix`
|
|
runs a full-fledged `npm install` under the hood, all configs that apply to the
|
|
installer will also apply to `npm install` -- so things like `npm audit fix
|
|
--package-lock-only` will work as expected.
|
|
|
|
## CONTENT SUBMITTED
|
|
|
|
* npm_version
|
|
* node_version
|
|
* platform
|
|
* node_env
|
|
* A scrubbed version of your package-lock.json or npm-shrinkwrap.json
|
|
|
|
### SCRUBBING
|
|
|
|
In order to ensure that potentially sensitive information is not included in
|
|
the audit data bundle, some dependencies may have their names (and sometimes
|
|
versions) replaced with opaque non-reversible identifiers. It is done for
|
|
the following dependency types:
|
|
|
|
* Any module referencing a scope that is configured for a non-default
|
|
registry has its name scrubbed. (That is, a scope you did a `npm login --scope=@ourscope` for.)
|
|
* All git dependencies have their names and specifiers scrubbed.
|
|
* All remote tarball dependencies have their names and specifiers scrubbed.
|
|
* All local directory and tarball dependencies have their names and specifiers scrubbed.
|
|
|
|
The non-reversible identifiers are a sha256 of a session-specific UUID and the
|
|
value being replaced, ensuring a consistent value within the payload that is
|
|
different between runs.
|
|
|
|
## SEE ALSO
|
|
|
|
* npm-install(1)
|
|
* package-locks(5)
|
|
* config(7)
|