Skip to main content

npm audit

The npm audit command submits a description of the dependencies configured in your project to the registry configured in your .npmrc and asks for a report of policy violations. The report returned includes instructions on how to act on this information.

Detailed information is found on the npm website .

Using Nexus IQ Server you can easily configure verification of your npm project not only against security vulnerabilities but also against your own policy enforcement, like component age or using a certain kind of license. All policy violations will be aggregated in the npm report.

Note

Add a policy with type License in IQ Server:

93487607.png

In the npm report you will get warning of this violation:

93487608.png

npm audit requirements

Note

npm audit does not currently work with npm version 9 or above.

  • Requires IQ server with Nexus Firewall.

  • npm audit requires npm client 7 or later

  • If you want to use npm audit without APP_ID, you need to use IQ Server release 89 or higher.

You will receive the following message if configuration is incomplete or incorrect:

93487609.png

Setup

Note

Audit information is locally cached for 12 hours. Invalidating Cache at the repository level will additionally clear the audit cache.

IQ Server is required to use this feature with Nexus Repository Manager. You have the option to evaluate npm packages in the context of the repository or you can specify an application ID for each project.

You need to configure your npm project within Nexus Repository Manager to use the npm auditcommand. Details on the configuration of npm can be found in the Configuring npm section.

Note

npm audit is supported by only proxy and group repositories.

There are three different methods to evaluate your npm projects, described below. Each method is ordered in preference but may depend on your use case.

Methods

  1. Adding an app_id identifier within a project local npmrc file

  2. Introduce a script into your project to inject an app_id

  3. No app_id declared (scans against root organization policies)

Note

npm v6.14.4 limits requests to 30 seconds. You may have to add the --timeout flag to the npm audit command. For example, npm audit --timeout=300000 which will limit a request to 5 minutes.

Specifying an application id within a project local npmrc file

Creating a project local .npmrc file and adding the following lines:

headers[]="app_id:<application_id>"

<application_id> should be replaced with the application name in your IQ server you would like the audit to be conducted.

This approach unlocks the full functionality of npm audit by scanning against application-defined policies.

Running npm audit will produce a report listing the application policies that your build will violate, for example:

93487610.png

With application id in package-lock.json / npm-shrinkwrap.json

This method also unlocks the full functionality of npm audit you will need to provide the APP_ID parameter in the package-lock.json file. The value of this parameter should be one of the application ids from the IQ Server. You can inject the APP_ID into your package-lock.json or npm-shrinkwrap.json by adding a script to your package.json file.For example, using a script called add_id.sh:

app_id.sh

app_id.sh

node -p "fs = require('fs');fp = './' + (fs.existsSync('package-lock.json') ? 'package-lock.json' : 'npm-shrinkwrap.json');fs.writeFileSync(fp, JSON.stringify({...require(fp), APP_ID: '$npm_package_APP_ID'}, null, 2));"

package.json

package.json

{
  "name": "my-super-project",
  "version": "0.0.1",
  "description": "Test Project",
  "main": "index.js",
  "dependencies": {
    "debug": "^2.2.0",
    "qs": "^2.3.3"
  },
  "optionalDependencies": {
    "lodash": "2.4.2"
  },
 "APP_ID": "<APP_ID>",
 "scripts": {
    "postshrinkwrap": "bash app_id.sh"
  }
}

The result of npm install should be package-lock.json / npm-shrinkwrap.json, for example:

package-lock.json / npm-shrinkwrap.json

{
"name":"my-super-project",
"version":"0.0.1",
"lockfileVersion":1,
"requires":true,
"dependencies":{
"debug":{
"version":"2.6.9",
"resolved":"https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
"integrity":"sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
"requires":{
"ms":"2.0.0"
}
},
"lodash":{
"version":"2.4.2",
"resolved":"https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz",
"integrity":"sha1-+t2DS5aDBz2hebPq5tnA0VBT9z4=",
"optional":true
},
"ms":{
"version":"2.0.0",
"resolved":"https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
"integrity":"sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
},
"qs":{
"version":"2.4.2",
"resolved":"https://registry.npmjs.org/qs/-/qs-2.4.2.tgz",
"integrity":"sha1-9854jld33wtQENp/fE5zujJHD1o="
}
},
"APP_ID":"<APP_ID>"
}

Note

If you don't get APP_ID in your package-lock.json, try npm cache clean --force then npm clean install command.

Running npm audit will produce a report listing the policies that your build will violate:

93487610.png

Without specifying the application id in package-lock.json / npm-shrinkwrap.json

If you do npm audit without specifying an APP_ID in your package-lock.json or npm-shrinkwrap.json, NXRM will download and cache the packages before evaluating them. This may cause a short delay the first time a project is evaluated.

Note

IQ Server release 89 is required.

Using this method the report will be not as detailed as using APP_ID, but it will contain all policy violations under the root organization as shown here:

93487611.png

npm audit fix

If you have configured an APP_ID then you can use npm audit fix to automatically remediate any vulnerable dependencies.