Use npm audit to detect package vulnerabilities

Article
09/18/2023

Azure DevOps Services

The npm audit command conducts a comprehensive scan of your project to detect potential security vulnerabilities. It then generates a detailed report highlighting any identified issues. Performing security audits is a crucial step in identifying and addressing vulnerabilities within the project's dependencies. Addressing these vulnerabilities can help prevent issues such as data loss, service disruptions, and unauthorized access to sensitive information.

Azure Pipelines does not support npm audit, if you attempt to use the regular npm audit command in your pipeline, it will fail with the following message: Unexpected end of JSON input while parsing.... As a workaround, you can run npm audit with the registry argument --registry=https://registry.npmjs.org/. This routes it straight to the public registry.

Warning

Running npm audit will send the names of all packages listed in your package.json to the public registry.

Sign in to your Azure DevOps organization, and then navigate to your project.
Select Pipelines, select your pipeline, and then select Edit to modify your pipeline.

Add the following task to your yaml pipeline to run npm audit and scan for security vulnerabilities.

steps:
- task: Npm@1
  displayName: 'npm audit'
  inputs:
    command: custom
    customCommand: 'audit --registry=https://registry.npmjs.org/'

You can also simultaneously scan and upgrade to non-vulnerable package versions, as follows:

steps:
- task: Npm@1
  displayName: 'npm audit & fix'
  inputs:
    command: custom
    customCommand: 'audit fix --registry=https://registry.npmjs.org/ --package-lock-only'

Sign in to your Azure DevOps organization, and then navigate to your project.
Select Pipelines, select your pipeline, and then select Edit to modify your pipeline.
From your pipeline definition, select the + sign to add a task to your agent job.
Search for the npm task, and then select Add to add it to your agent job.
Provide a Display name for your task, and select custom from the Command dropdown menu.
Paste your custom command into the Command and arguments text box:
1. Use the following command to solely scan for security vulnerabilities:
```
audit --registry=https://registry.npmjs.org/
```
2. If you wish to both scan and attempt to upgrade to non-vulnerable package versions, use the following command:
```
audit fix --registry=https://registry.npmjs.org/ --package-lock-only
```

A screenshot showing the npm audit task in a classic pipeline.

Run npm audit on your development environment

To perform an npm audit locally on your development environment and optionally attempt to upgrade to non-vulnerable package versions, follow these steps:

Open a command prompt window, and navigate to the root directory of your project where your package.json file is located.
Run the following command to generate the package-lock.json file. This command analyzes your package.json file, installs the required dependencies, and generates the package-lock.json file.
```
npm i --package-lock-only
```
Run the npm audit command to scan your project for security vulnerabilities and provide a report.
```
npm audit --registry=https://registry.npmjs.org/
```
If you also want to attempt to upgrade to non-vulnerable package versions, use the following command instead:
```
audit fix --registry=https://registry.npmjs.org/ --package-lock-only
```

Here's an example of the output you might see in your command prompt window after running the npm audit command:

A screenshot of a local npm audit security report.

Use npm audit to detect package vulnerabilities

Run npm audit from your pipeline

Run npm audit on your development environment

Feedback

Additional resources

Additional resources

Use npm audit to detect package vulnerabilities

Run npm audit from your pipeline

Run npm audit on your development environment

Related articles

Feedback

Additional resources

Additional resources