security
npm audit
Submits the dependency tree to the registry's security advisory database and reports known vulnerabilities. Exits non-zero when problems at or above the audit level are found.
npm audit [--audit-level=<low|moderate|high|critical>] [--omit=dev] Common flags
| Flag | Purpose |
|---|---|
| --audit-level <lvl> | Fail only for issues at or above this severity |
| --omit=dev | Audit production dependencies only |
| --json | Emit the full advisory report as JSON |
| --registry <url> | Use a specific registry's advisory data |
Examples
npm audit Report every known vulnerability in the tree
npm audit --audit-level=high Only fail on high/critical issues
npm audit --omit=dev Ignore devDependencies (production audit)
Gotcha
`npm audit` is famously noisy — many advisories are in devDependencies that never ship to users. Filter with `--omit=dev` and `--audit-level=high` in CI to avoid failing on cosmetic issues.
Related commands
npm audit fix
Automatically installs compatible updates that resolve reported vulnerabilities without breaking your declared semver ranges. `--force` will accept SemVer-major bumps.
npm ci
Performs a clean, deterministic install straight from package-lock.json (or npm-shrinkwrap.json) intended for CI environments. It deletes any existing node_modules and refuses to run if package.json and the lockfile are out of sync.
npm outdated
Compares installed versions against the registry and reports which packages have a newer version available in current/wanted/latest columns. `wanted` respects your semver range, `latest` is the newest published.