npm audit to the rescue
With the release of npm 6.0, npm audit was announced, a new tool designed to increase security when working with open source code. Now npm audit is available and is not only available in npm@6, but can also be used with previous versions.
npm audit performs a security review of the dependency tree of projects, which is performed immediately and is based on a comparison with the vulnerabilities recorded in the NodeSecurity.io database. Running npm audit generates reports that not only provide information about which vulnerabilities exist in the code, but also hints on how to fix them with npm commands.
Automate Code Auditing
In addition, the reports generated by npm audit include information on the location and dependency of the vulnerability found. They also include a link to more information about the issue on the Node Security Platform recently adopted by npm. Even during the installation of new dependencies via npm install, an automatic security check is now performed and a message is issued informing about any existing vulnerabilities. For a complete report, however, npm audit must be used, which is available free of charge to all users of the corresponding npm versions.
npm audit is fully compatible with versions from npm versions 5.10.0 and 6. It will then generate this report:
Raise awareness of security vulnerabilities