npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

`npm audit`: identify and fix insecure dependencies

Last month, we announced npm@6, which includes a powerful new tool to protect the safety of your code, npm audit. Together with new automatic alerts when a user installs code with a known security risk, audit is a dramatic step to ensure the quality and integrity of the code you use, and protect the world’s largest community of open source software developers.

Read on to learn more about audit and how we’re working to help you develop with confidence.

What is npm audit?

npm audit is a new command that performs a moment-in-time security review of your project’s dependency tree. Audit reports contain information about security vulnerabilities in your dependencies and can help you fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting.

You can start using npm audit right now by updating to the latest version of npm. Just type npm install npm -g.

Here is an example of running npm audit against your-fantastic-app:

cd your-fantastic-app
npm audit

The results should look like this:

We’ve also built in a summary security report into npm install if vulnerabilities are found during installation:

Or when no vulnerabilities are found:

You can learn more about how to run a security audit on the npm documentation site

What if I’m using a previous version of npm?

npm audit is available in npm@5.10.0 and npm@6. Prior versions of npm will receive vulnerability messages similar to the following:

npm-notice: [SECURITY] marked has 3 high, and 2 moderate vulnerabilities. Go here for more details: [https://nodesecurity.io/advisories?search=marked&version=0.3.0](https://nodesecurity.io/advisories?search=marked&version=0.3.0) - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

We’re not aware of any third-party registry clients that currently support displaying the npm-notify header, so users of these tools will not receive vulnerability messages. For maximum protection against unsafe code, all users should use npm@6.

How does this impact the JavaScript ecosystem?

In the short term, these new alerts and npm audit will raise developers’ awareness of known security vulnerabilities within their applications.They also provide actionable guidance to eliminate the identified risks.

In the longer term, prominent vulnerability warnings and actionable security alerts will raise the floor for everyone. When a developer of a popular package notices they have been bringing in a vulnerable dependency and switches to using a fixed version, instead, every package that depends upon this popular package will now grow safer, too. Everyone stands to benefit from this network effect.

What’s next?

Security is a process, not a project—it’s never done. We will continue to work to improve the security of the npm Registry and the code you write, and we’re excited by what’s in the works in coming weeks and months.

Already, we’ve announced that package signing is on its way. This will allow users of npm packages to verify the integrity of the package regardless of the tools they use to retrieve it or the registry from which they download it.

After this, expect a summer full of products that empower security-focused teams and enterprises by augmenting the tools we’ve announced today. Watch this space.

Update:  We’ve added npm audit fix which combines all the actionable, semver-compatible reports from your audit and runs them for you. You can read more about it in the v6.1.0 release notes.