Npm audit pipeline is an npm library that can be used in your CI piplelines to determine whether your packages have any vulnerabilities and failing over if so.
$ npm i npm-audit-pipeline --save-devIn its simplest form you can it to the package.json script section like so:
"scripts": {
"package-audit": "npm-audit"
}Then you can run as:
$ npm run package-auditIt will check through the specified levels by the given parameter (low/moderate/high/critical).
You can specify how many errors are allowed to be passed through for each vulnerability level.
For example:
$ npm-audit --low=4 --moderate=3 --high=2 --critical=1This means if there are 4 low level, 3 moderate, 2 high and 1 critical vulnerabilities when packages are checked then it will pass. If in a situation there are 5 low level vulnerabilities then it will fail because its greater than 4 specifed in the arguments. If only the vulnerability level name argument passed, the count value will be set to 0 by default.
$ npm-audit --shouldWarn shouldWarn flag means the vulnerabilities will be logged to stdout however the pipeline will successfully pass
$ npm-audit --retry=10retry flag means the number of retry attempts to fetch npm audit if it fails to retrieve the data
npm-audit-pipeline is Apache 2.0.