security

npm audit

Submits the dependency tree to the registry's security advisory database and reports known vulnerabilities. Exits non-zero when problems at or above the audit level are found.

npm audit [--audit-level=<low|moderate|high|critical>] [--omit=dev]

Common flags

Flag Purpose
--audit-level <lvl> Fail only for issues at or above this severity
--omit=dev Audit production dependencies only
--json Emit the full advisory report as JSON
--registry <url> Use a specific registry's advisory data

Examples

npm audit

Report every known vulnerability in the tree

npm audit --audit-level=high

Only fail on high/critical issues

npm audit --omit=dev

Ignore devDependencies (production audit)

Gotcha

`npm audit` is famously noisy — many advisories are in devDependencies that never ship to users. Filter with `--omit=dev` and `--audit-level=high` in CI to avoid failing on cosmetic issues.

Related commands

← All npm commands · npm vs pnpm vs Yarn · Fix Node OOM