npm audit is great but...
- there's no way to whitelist advisories so you don't see them again, and
- if you run it all the time (eg: as part of CI) it'll block you.
npx @medic/audit-dependencies audit. This will run
npm audit. If you have any advisories, either fix them, or add the IDs to the
permittedarray in the
.auditrc.jsonfile, then run
- In your CI add a step for
npx @medic/audit-dependencies check. This will check your
package-lock.jsonagainst the one that's been verified and fail if it's changed.