npm audit to the rescue

With the release of npm 6.0, npm audit was announced, a new tool designed to increase security when working with open source code. Now npm audit is available and is not only available in npm@6, but can also be used with previous versions.

npm audit performs a security review of the dependency tree of projects, which is performed immediately and is based on a comparison with the vulnerabilities recorded in the database. Running npm audit generates reports that not only provide information about which vulnerabilities exist in the code, but also hints on how to fix them with npm commands.

Automate Code Auditing

In addition, the reports generated by npm audit include information on the location and dependency of the vulnerability found. They also include a link to more information about the issue on the Node Security Platform recently adopted by npm. Even during the installation of new dependencies via npm install, an automatic security check is now performed and a message is issued informing about any existing vulnerabilities. For a complete report, however, npm audit must be used, which is available free of charge to all users of the corresponding npm versions.

npm audit is fully compatible with versions from npm versions 5.10.0 and 6. It will then generate this report:

Raise awareness of security vulnerabilities

npm hopes that the new npm audit will raise developers’ awareness of the problem of vulnerabilities in open source software. The goal is to help reduce the number of dependencies within the JavaScript ecosystem that contain vulnerabilities and make the ecosystem as a whole more secure. More information on the automated audit of dependencies in code can be found in the npm blog and in the official documentation of npm audit.