Detalhes do pacote

npm-audit-report

npm2.8mISC6.0.0

Given a response from the npm security api, render it into a variety of security reports

npm, security, report, audit

readme (leia-me)

npm audit security report

Given a response from the npm security api, render it into a variety of security reports

The response is an object that contains an output string (the report) and a suggested exitCode.

{
  report: 'string that contains the security report',
  exit: 1
}

Basic usage example

This is intended to be used along with @npmcli/arborist's AuditReport class.

'use strict'
const Report = require('npm-audit-report')
const options = {
  reporter: 'json'
}

const arb = new Arborist({ path: '/path/to/project' })
arb.audit().then(report => {
  const result = new Report(report, options)
  console.log(result.output)
  process.exitCode = result.exitCode
})

Break from Version 1

Version 5 and 6 of the npm CLI make a request to the registry endpoint at either the "Full Audit" endpoint at /-/npm/v1/security/audits or the "Quick Audit" endpoint at /-/npm/v1/security/audits/quick. The Full Audit endpoint calculates remediations necessary to correct problems based on the shape of the tree.

As of npm v7, the logic of how the cli manages trees is dramatically rearchitected, rendering much of the remediations no longer valid. Thus, it only fetches the advisory data from the Quick Audit endpoint, and uses @npmcli/arborist to calculate required remediations and affected nodes in the dependency graph. This data is serialized and provided as an "auditReportVersion": 2 object.

Version 2 of this module expects to receive an instance (or serialized JSON version of) the AuditReport class from Arborist, which is returned by arborist.audit() and stored on the instance as arborist.auditReport.

Eventually, a new endpoint may be added to move the @npmcli/arborist work to the server-side, in which case version 2 style audit reports may be provided directly.

options

option values default description
reporter install, detail, json, quiet install specify which output format you want to use
chalk Chalk instance required a Chalk instance to use for colorizing strings. use new chalk.Instance({ level: 0 }) for no colors
unicode true, false true indicates if unicode characters should be used
indent Number or String 2 indentation for 'json' report
auditLevel 'info', 'low', 'moderate', 'high', 'critical', 'none' low (ie, exit 0 if only info advisories are found) level of vulnerability that will trigger a non-zero exit code (set to 'none' to always exit with a 0 status code)

changelog (log de mudanças)

Changelog

6.0.0 (2024-09-03)

⚠️ BREAKING CHANGES

  • npm-audit-report now supports node ^18.17.0 || >=20.5.0

    Bug Fixes

  • b9a071c #137 align to npm 10 node engine range (@hashtagchris)

    Chores

  • 6ae4785 #137 run template-oss-apply (@hashtagchris)
  • d9a9b5a #135 bump @npmcli/eslint-config from 4.0.5 to 5.0.0 (@dependabot[bot])
  • 6a5ef6a #123 bump @npmcli/template-oss to 4.22.0 (@lukekarrys)
  • 3dfcf02 #90 enable auto publish (#90) (@wraithgar)
  • dfc6832 #136 postinstall for dependabot template-oss PR (@hashtagchris)
  • ac3cfa2 #136 bump @npmcli/template-oss from 4.23.1 to 4.23.3 (@dependabot[bot])

5.0.0 (2023-05-22)

⚠️ BREAKING CHANGES

  • use a passed in chalk instance to create colors (#84)

Features

  • ef0bac5 #84 use a passed in chalk instance to create colors (#84) (@lukekarrys)

4.0.0 (2022-10-10)

⚠️ BREAKING CHANGES

  • npm-audit-report is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Features

  • af74324 #67 postinstall for dependabot template-oss PR (@lukekarrys)

3.0.0 (2022-03-23)

⚠ BREAKING CHANGES

  • this drops support for node10 and non-LTS versions of node 12 and node 14.

Bug Fixes

  • linting and printed check (0e1d9e5)
  • @npmcli/template-oss@3.1.2 (6aa9eef)

1.3.3 (2020-03-26)

1.3.2 (2018-12-18)

Bug Fixes

  • parseable: add support for critical vulns and more resolves on update/install action (#28) (5e27893)
  • security: audit fix (ff9faf3)
  • urls: Replace hardcoded URL to advisory with a URL from audit response (#34) (e2fe95b)

1.3.1 (2018-07-10)

1.3.0 (2018-07-09)

Bug Fixes

  • deps: remove object.values dependency (2c5374a)
  • detail: Fix info-level severity (#18) (807db5a)
  • tests: a test should not cause side-effects in other tests (#23) (a94449f)

Features

  • output: add parseable tabular output format support (#21) (1c9aaf4)

1.2.1 (2018-05-17)

Bug Fixes

  • detail: count id+path instead of just id (99880fd)

1.2.0 (2018-05-16)

Bug Fixes

  • full-report: Fix install flag for devDependencies (#14) (30e5f30)

Features

  • detail: consistified full report with install report (#15) (6df6810)
  • install: include npm audit recommendation too (32fb153)

1.1.0 (2018-05-10)

Bug Fixes

  • install: not enough data for this conditional (6ddc30c)

Features

  • report: compress and reformat human-readable install report (74d5203)