Thanks to the wonderful folks at npm, in npm v10.2+, after 6 years, npm audit no longer requires a lockfile!
Therefore, you should no longer use aud. Instead, use npx npm@'>=10.2' audit --production.
Use npx aud instead of npm audit, whether you have a lockfile or not!
It's a great idea to run npm audit in CI; it ensures that you don't unknowingly have vulnerabilities in your dep graph.
Unfortunately, it doesn't work without a lockfile :crying_cat_face: and only apps should have lockfiles. It also requires npm v6 or above.
Now, instead of npm audit, you can run npx aud! If your repo has a lockfile, it will just run npm audit; if it does not, it will use npm-lockfile to copy your package.json and your currently configured audit level (npm config get audit-level) to a temp dir that has the proper version of npm installed, it will use npm install --package-lock-only to create a temporary lockfile, and it will run npm audit there. On exit, all the temp dirs will get cleaned up.
aud fix without a lockfile present will throw npm audit's normal "no lockfile" error, since there's no way to preserve fixes to transitive dependencies.
FAQs
Use `npx aud` instead of `npm audit`, whether you have a lockfile or not!
The npm package aud receives a total of 2,046 weekly downloads. As such, aud popularity was classified as popular.
We found that aud demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Security News
Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
