END OF LIFE

Thanks to the wonderful folks at npm, in npm v10.2+, after 6 years, npm audit no longer requires a lockfile!

Therefore, you should no longer use aud. Instead, use npx npm@'>=10.2' audit --production.

aud

Use npx aud instead of npm audit, whether you have a lockfile or not!

It's a great idea to run npm audit in CI; it ensures that you don't unknowingly have vulnerabilities in your dep graph.

Unfortunately, it doesn't work without a lockfile :crying_cat_face: and only apps should have lockfiles. It also requires npm v6 or above.

Now, instead of npm audit, you can run npx aud! If your repo has a lockfile, it will just run npm audit; if it does not, it will use npm-lockfile to copy your package.json and your currently configured audit level (npm config get audit-level) to a temp dir that has the proper version of npm installed, it will use npm install --package-lock-only to create a temporary lockfile, and it will run npm audit there. On exit, all the temp dirs will get cleaned up.

aud fix without a lockfile present will throw npm audit's normal "no lockfile" error, since there's no way to preserve fixes to transitive dependencies.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

v3.0.1 - 2024-07-31

Commits

• EOL 6236062

v3.0.0 - 2024-07-30

Commits

• [Refactor] move entrypoint to ESM 84af24d
• [Breaking] update npm-lockfile; drop node < 16.14 72c2567
• [Refactor] replace rimraf with fs.rmSync recursive 7ba7bec
• [Deps] update tmp 517cfa1
• [Deps] update rimraf 8030e3f

v2.0.5 - 2024-07-30

Commits

• [Dev Deps] update @ljharb/eslint-config, tape f1fd495
• [Tests] npm v10.6.0 changed its error prefix from ERR! to error af8b7f9
• [Deps] update semver, tmp 85db575
• [Fix] pin tmp to v0.2.1 due to a breaking change 27c5052
• [Deps] update semver dfd6ea9
• [Dev Deps] update tape 9549943

v2.0.4 - 2023-12-08

Commits

• [actions] use shared rebase action 5acc88d
• [Tests] npm 9+ throws EUSAGE for a non-lockfile npm audit, now b38d220
• [Dev Deps] update npmignore, tape dcbce75
• [Fix] ensure aud works properly in workspaces 4625b24
• [Deps] update semver e9c988c
• [Deps] update semver 3d60b22

v2.0.3 - 2023-06-20

Commits

• [Deps] update npm-lockfile, semver 0d66c3f
• [Dev Deps] update @ljharb/eslint-config, tape bc34f8c

v2.0.2 - 2022-12-19

Commits

• [meta] use npmignore to autogenerate an npmignore file dcf2617
• [Deps] unpin pacote, update semver daecac4
• [actions] update checkout action 3c87a31

v2.0.1 - 2022-09-20

Commits

• [Dev Deps] update eslint, @ljharb/eslint-config, auto-changelog, tape 7915f18
• [Deps] update npm-lockfile, semver 8c9f7e0
• [Dev Deps] update @ljharb/eslint-config, tape 65adcb9
• [Deps] update npm-lockfile bc32409
• [meta] directly invoke the bin in posttest b40a155
• [Deps] update npm-lockfile 97f7ca4
• [Deps] pin pacote due to a breaking change in v13.6.1+ 00f6bc8
• [Deps] add missing rimraf dep 0f582e4

v2.0.0 - 2022-01-11

Commits

• [actions] reuse common workflows 37e4cf1
• [Refactor] copy getProjectTempDir from npm-lockfile v2, since v3 removes it 60e4f8b
• [Dev Deps] update eslint, @ljharb/eslint-config, auto-changelog, safe-publish-latest, tape 6112fa0
• [Breaking] update to npm-lockfile v3 b52962b
• [Tests] add nyc 4d6cf90
• [Tests] filter out npm warnings, redux 5a63833
• [Refactor] use colors instead of chalk 324a287
• [Refactor] use fs.promises instead of util.promisify; use built-in copyFile 1e8d387
• [Dev Deps] update eslint, @ljharb/eslint-config, tape d78214e
• [actions] update workflows b748956
• [Tests] filter out npm warnings 2627cfa
• [Deps] update semver, tmp f18f1ed
• [Breaking] add "exports" 0c41fdd
• [Deps] update npm-lockfile cb70cd9
• [Fix] pin colors ad0bde5
• [Deps] update npm-lockfile ac56080
• [meta] broaden engines support to >= 10 211e00e
• [meta] add audit-level 56ca7ad

v1.1.5 - 2021-05-01

Commits

• [actions] use node/install instead of node/run; use codecov action b6cdffc
• [readme] fix URLs 84074e7
• [Dev Deps] update eslint, @ljharb/eslint-config, tape 37c3a3b
• [Tests] fix error code checks due to npm 7 a7c7705
• [meta] use prepublishOnly script for npm 7+ 37d2fc7
• [Dev Deps] update eslint f278729
• [meta] add node 16 to engines.node 2703898

v1.1.4 - 2021-02-09

Commits

• [meta] do not publish github action workflow files 2a7b3f1
• [Dev Deps] update eslint, @ljharb/eslint-config, tape 41b90ae
• [Deps] update util.promisify fe9cd7f
• [Fix] allow npm 7+ 41cec78

v1.1.3 - 2020-11-05

Commits

• [Tests] migrate tests to Github Actions 4867d5d
• [Dev Deps] update eslint, @ljharb/eslint-config, tape, auto-changelog e7b3103
• [actions] add "Allow Edits" workflow 56e9a2e
• [Deps] update libnpx, npm-lockfile bc18eb2
• [meta] update rebase workflow to checkout v2 50049a4
• [Dev Deps] update eslint ce73086
• [actions] switch Automatic Rebase workflow to pull_request_target event 657e3c2
• [meta] add node 15 to "engines" 2d5bfad

v1.1.2 - 2020-05-15

Commits

• [Deps] add missing util.promisify e526029

v1.1.1 - 2020-04-21

Commits

• [meta] add ^14 to engines.node 4ef2e95
• [Dev Deps] update auto-changelog e042f47
• [Dev Deps] update auto-changelog 5d8dbc7
• [meta] ignore chalk; v3 requires node 8, v4 node 10; aud supports node 6 0ee46e2

v1.1.0 - 2020-03-28

Commits

• [Tests] use shared travis-ci configs b1d1358
• [meta] add auto-changelog d4fad8e
• [meta] add funding field a0f78c7
• [actions] add automatic rebasing / merge commit blocking 43d9614
• [meta] create FUNDING.yml 8382d05
• [Dev Deps] update @ljharb/eslint-config, tape; add safe-publish-latest; add npx aud to posttest 5264b9f
• [Deps] update npm-lockfile, semver 79be62b
• [Dev Deps] update eslint, @ljharb/eslint-config, tape 78bc852
• [Dev Deps] update auto-changelog, tape 41bfcd0
• [Tests] only audit prod deps 47d2b0f
• [Deps] update libnpx b4ed164
• [minor] add explicit support for newer node versions d735ae9
• [Deps] update libnpx b0689f5
• [Deps] update libnpx 75d85bf

v1.0.0 - 2019-02-22

Commits

• [Tests] initial tests 2e4cb27
• Initial commit 851346f
• initial binary 9bdc003
• [Tests] add npm run lint 18083f6
• Drop support for node 7 and 9 005484a
• readme a279d19
• package.json da03188
• [Fix] when local npm is not new enough, always go to a temp dir 74e1e60
• Only apps should have lockfiles a519aa1
• [Fix] handle nonexistent audit level 4929e1a
• [Fix] copyFile was added in node 8 4f28308