npm audit

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.

Version

The npm version depends on the Node.js version.

Runtime

Node.js Versions

Supported Languages

JavaScript

Official Documentation

https://docs.npmjs.com/cli/test

YAML Configuration

npm-audit:

  • input:

    Patterns to include in execution and reports.

    Note: Inspecode runs npm audit for each Node.js project and the input patterns are used for selecting Node.js projects containing input files. Therefore, the files excluded by the patterns are processed if they are contained in Node.js projects that also contain input files, and you may even see logs related to the excluded files in the job console.

  • ignore:

    Patterns to exclude from execution and reports.

    Note: Just like input:, the ignore patterns may not be applied completely when running npm audit.

  • auto-fix:

    true/false

  • config-file:

    N/A

  • options:

    "--force":             Have audit fix install semver-major updates to toplevel dependencies,
                           not just semver-compatible ones.
    "--package-lock-only": Run audit fix without modifying node_modules, but still updating the pkglock.
    "--production":        Skip updating devDependencies.
    "--only":              Select updating only dev|prod dependencies.
    
  • machine:

    • cpu:

      Amount of CPU. The default machine has 0.75 CPU with 2880 MiB RAM.

  • thresholds:

    • num-issues:

      Refer to Configuration > Tool Configuration > Field: thresholds.

      In addition to general severity levels, the following tool specific severity levels can be specified:

      • high (equivalent to general severity level error)
      • moderate (equivalent to general severity level warning)
      • low (equivalent to general severity level info)
  • experimental:

    • incremental:

      N/A

      Note: The incremental analysis cannot be supported for npm audit.

YAML Examples

  • With default options:

    inspecode:
      npm-audit: default
    
  • With custom machine:

    inspecode:
      npm-audit:
        machine:
          cpu: 1.5 # 1.5 CPU, 5760 MiB RAM
    
  • With custom options:

    inspecode:
      npm-audit:
        auto-fix: true
        options:
          --only: prod
    

results matching ""

    No results matching ""