Npm libraries and vulnerability concerns

Npm libraries and  vulnerability concerns

Out of the box you can get some audit features from npm. However, you need to upgrade your npm to version 6+. Using this command upgrade your npm:

npm install npm@latest -g 

Now you are able to run theaudit command to get the result back:

npm audit

If you would like to push the report in a file you can also run this:

npm audit > report.txt

you will probabely get back some results like

you potentially can fix some if them by running :

npm audit --fix

However, some of the others cannot be fixed automatically since they are breaking changes in libraries and you need to do it manually to make sure you are aware of changes. In the example above, there is a line which asks you to upgrade your gulp to version 4. This change needs fixing the gulp file since the syntax has been changed.

Audit the production packages

you might only need to audit the packages which are added to dependency not the one in dev-dependency.

npm audit fix --only=prod