Learn about our RFC process, Open RFC meetings & more.Join in the discussion! »

better-npm-audit

1.3.1 • Public • Published

Better NPM Audit

Made to allow skipping certain vulnerabilities, and any extra handling that are not supported by the default npm audit in the future.

NPM

PRs Welcome GitHub issues npm bundle size

Installation

$ npm install better-npm-audit

or

$ npm install -g better-npm-audit

Useage

Package.json

{
  "scripts": {
    "prepush": "npm run test && npm run audit",
    "audit": "node node_modules/better-npm-audit audit"
  }
}

Run Global

better-npm-audit audit

Flags

Ignore certain vulnerabilities

For skipping certain advisories, you can use -i or verbose --ignore flags

node node_modules/better-npm-audit audit -i 118,577

Display full report

To avoid waterfall logging on your console screen, there is a character limit set to the output. To view the full audit logs, you can use -f or verbose --full flags

node node_modules/better-npm-audit audit -f

Minimum audit level (--audit-level)

Fail an audit only if the results include a vulnerability with a level of moderate or higher:

node node_modules/better-npm-audit audit -l critical

Production mode (--production)

Skip checking devDependencies

node node_modules/better-npm-audit audit -p

Examples

Running node node_modules/better-npm-audit audit with vulnerabilities, will receive the error:

Error: 2 vulnerabilities found. Node security advisories: 118,577
    at Socket.audit.stdout.on.data (C:\Users\user\project\node_modules\better-npm-audit\index.js:51:15)
    at emitOne (events.js:121:20)
    at Socket.emit (events.js:211:7)
    at addChunk (_stream_readable.js:263:12)
    at readableAddChunk (_stream_readable.js:246:13)
    at Socket.Readable.push (_stream_readable.js:208:10)
    at Pipe.onread (net.js:594:20)

Added the ignore flags node node_modules/better-npm-audit audit -i 118,577 and rerun:

Executing script: audit

to be executed: "node node_modules/better-npm-audit audit -i 118,577"
Exception Vulnerabilities IDs:  [ '118', '577' ]
=== npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-stream > glob >
                  minimatch

  More info       https://nodesecurity.io/advisories/118


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-stream > minimatch

  More info       https://nodesecurity.io/advisories/118


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
                  globule > glob > minimatch

  More info       https://nodesecurity.io/advisories/118


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
                  globule > minimatch

  More info       https://nodesecurity.io/advisories/118


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
                  globule > lodash

  More info       https://nodesecurity.io/advisories/577

found 5 vulnerabilities (1 low, 4 high) in 30441 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

🤝  All good

Special thanks

Thank you @IPWright83 for his solutions in improving the vulnerability validation for us to have the minimum-audit-level and production-mode flags.


If you like this project,

Buy Me A Coffee

Install

npm i better-npm-audit

DownloadsWeekly Downloads

3,000

Version

1.3.1

License

MIT

Unpacked Size

12.8 kB

Total Files

6

Last publish

Collaborators

  • avatar