Comprehensive Guide to npm-audit, npm-bin, and npm-bugs Commands
In the previous tutorial we looked at the npm-adduser and npm-access cli options. This tutorial will examine the workings of npm-audit, npm-bin and npm-bug cli options.
npm-audit
The npm-audit is used to run security audit for a project or package.
Synopsis
npm audit [--json|--parseable]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
Example
To scan your project for vulnerabilities and install any compatible updates to vulnerable dependencies you will need to run the command below:
$ npm audit fix
If you want to run audit fix without modifying the node_modules folder, and still update the pkglock, run the command below:
$ npm audit fix --package-lock-only
To skip the update of devDependencies:
$ npm audit fix --only=prod
To have audit fix install semver-major updates to toplevel dependencies, and not just semver-compatible ones run:
$ npm audit fix -force
If you want to perform a dry run to get an idea of what audit fix will do, and output install information JSON format as well, run:
$ npm audit fix --dry-run -json
If you want to scan your project for vulnerabilities, showing the details but not fixing anything, run:
$ npm audit
To get a detailed audit report in JSON format, run:
$ npm audit -json
To get a detailed audit report that is in plain text, and separated by tab characters, which can be reused in the future for scripting and command line post processing, such as selecting some of the columns printed, run:
$ npm audit -parseable
Finally, to parse columns, you can use awk for example, and then just print some of them:
$ npm audit --parseable | awk -F $'\t' '{print $1,$4}
Description
The audit command will submit a description of the dependencies configured in your project to your default registry and will ask for a report of known vulnerabilities. The report returned usually includes instructions on how to act on this information.
You can equally have npm automatically fix the vulnerabilities by running npm audit fix. Note that it is not all vulnerabilities that can be fixed automatically and some will require manual intervention or review. It should also be noted that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer also applies to npm install -- Hence things like npm audit fix --package-lock-only will work as expected.
CONTENT SUBMITTED
- npm_version
- node_version
- platform
- node_env
- A scrubbed version of npm-shrinkwrap.json or your package-lock.json
SCRUBBING
In order to ensure that potentially sensitive information will not be included in the audit data bundle, some dependencies might have their names (and sometimes versions) replaced with opaque non-reversible identifiers. This is done for the following dependency types:
- Any module referencing a scope that was configured for a non-default registry has its name scrubbed. (That is, a scope which you did a npm login --scope=@ourscope for.)
- All git dependencies will have their names and specifiers scrubbed.
- All remote tarball dependencies will have their names and specifiers scrubbed.
- All local directory and tarball dependencies will have their names and specifiers scrubbed. '
The non-reversible identifiers are usually a sha256 of a session-specific UUID and the value that is being replaced, ensuring a consistent value within the payload that will be different between runs.
npm-bin
This command displays the bin folder.
Synopsis
npm bin [-g|--global]
Description
This command will print the folder where npm will install executables.
npm-bugs
This cli option shows the bugs that might exist for a package.
Synopsis
npm bugs [<pkgname>]
aliases: issues
Description
This command will try to guess at the likely location of a package's bug tracker URL, and then tries to open the package using the --browser config param. If you don't provide a package name, it searches for a package.json in the current folder and use the name property.
Configuration
browser
- Default: OS X: "open", Windows: "start", Others: "xdg-open"
- Type: String
This is the browser that is called by the npm bugs command to open websites.
registry
- Default: https://registry.npmjs.org/
- Type: url
This is the base URL of the npm package registry.
Previous:
Managing Access and User Accounts with npm-access and npm-adduser.
Next:
Comprehensive Guide to npm-build, npm-cache, and npm-bundle Commands.
It will be nice if you may share this link in any developer community or anywhere else, from where other developers may find this content. Thanks.
https://w3resource.com/npm/npm-audit-npm-bin-and-npm-bug.php
- Weekly Trends and Language Statistics
- Weekly Trends and Language Statistics