Use npm audit to detect package vulnerabilities

Azure DevOps Services

The npm audit command conducts a comprehensive scan of your project to detect potential security vulnerabilities. It then generates a detailed report highlighting any identified issues. Performing security audits is a crucial step in identifying and addressing vulnerabilities within the project's dependencies. Addressing these vulnerabilities can help prevent issues such as data loss, service disruptions, and unauthorized access to sensitive information.

Azure Pipelines does not support npm audit, if you attempt to use the regular npm audit command in your pipeline, it will fail with the following message: Unexpected end of JSON input while parsing.... As a workaround, you can run npm audit with the registry argument --registry= This routes it straight to the public registry.


Running npm audit will send the names of all packages listed in your package.json to the public registry.

Run npm audit from your pipeline

  1. Sign in to your Azure DevOps organization, and then navigate to your project.

  2. Select Pipelines, select your pipeline, and then select Edit to modify your pipeline.

  3. Add the following task to your yaml pipeline to run npm audit and scan for security vulnerabilities.

    - task: Npm@1
      displayName: 'npm audit'
        command: custom
        customCommand: 'audit --registry='
  4. You can also simultaneously scan and upgrade to non-vulnerable package versions, as follows:

    - task: Npm@1
      displayName: 'npm audit & fix'
        command: custom
        customCommand: 'audit fix --registry= --package-lock-only'

Run npm audit on your development environment

To perform an npm audit locally on your development environment and optionally attempt to upgrade to non-vulnerable package versions, follow these steps:

  1. Open a command prompt window, and navigate to the root directory of your project where your package.json file is located.

  2. Run the following command to generate the package-lock.json file. This command analyzes your package.json file, installs the required dependencies, and generates the package-lock.json file.

    npm i --package-lock-only
  3. Run the npm audit command to scan your project for security vulnerabilities and provide a report.

    npm audit --registry=
  4. If you also want to attempt to upgrade to non-vulnerable package versions, use the following command instead:

    audit fix --registry= --package-lock-only

Here's an example of the output you might see in your command prompt window after running the npm audit command:

A screenshot of a local npm audit security report.