npmpackage.info

Gathering detailed insights and metrics for npm-audit-ci-wrapper

npm-audit-ci-wrapper

A wrapper for 'npm audit' which can be configurable for use in a CI/CD tool like Jenkins

3.0.2

Apache-2.0

JavaScript

1,375,873 3.1

Installations

npm install npm-audit-ci-wrapper

Pull Requests

Open

0

Total

39

Closed

3

Merged

36

Issues

Open

0

Total

43

Closed

43

Releases

v3.0.0

3.0.0

Published on 28 Aug 2020

v2.4.1

Published on 29 Oct 2019

v2.4.0

Published on 23 Oct 2019

v2.3.0

Published on 18 Jul 2019

v2.2.1

Published on 22 May 2019

v2.1.8

Published on 12 Mar 2019

View all 8 releases

Developer

InfoSec812

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

Typescript Support

No

Node Version

12.22.1

NPM Version

6.14.12 Statistics

13 Stars

188 Commits

11 Forks

6 Watching

25 Branches

9 Contributors

Updated on 28 Jan 2023

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

1,375,873

Last day

-11.5%

438

Compared to previous day

Last week

-22.8%

2,393

Compared to previous week

Last month

-1.6%

12,621

Compared to previous month

Last year

-19.9%

156,703

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

JSONStream argv cli-table event-stream

Dev Dependencies

@stryker-mutator/core @stryker-mutator/html-reporter @stryker-mutator/javascript-mutator @stryker-mutator/jest-runner capture-stdout jest jest-cli jest-html-reporter sonar-scanner stryker-cli

Versions

DEPRECATED NPM Audit Continuous Integration Wrapper

Deprecation

NPM keeps changing the API for NPM Audit and I just don't have the time or inclination to keep chasing their whims. I highly recommend that you switch to using Sonatype's auditjs which is far more stable and not dependent on NPM's Audit API. It instead uses the Sonatype OSSI registry which covers a lot more detail. I have already switched all of my projects. If you would like to take over ownership of this repository and the NPM package, I would be willing to hand it over to someone who proves their intent by submitting a pull-request to handle the latest NPM Audit API.

This utility is a wrapper around npm audit --json which allows for finer grained control over what will cause a CI build to fail. Options include setting the severity threshold and ignoring dev dependencies.

Installation

npm install --save-dev npm-audit-ci-wrapper

npm install -g npm-audit-ci-wrapper

npx npm-audit-ci-wrapper@latest

Usage

Usage: npm-audit-ci-wrapper [options]

	--help, -h
		Displays help information about this script
		'npm-audit-ci-wrapper -h' or 'npm-audit-ci-wrapper --help'

	--threshold, -t
		The threshold at which the audit should fail the build (low, moderate, high, critical)
		'npm-audit-ci-wrapper --threshold=high' or 'npm-audit-ci-wrapper -t high'

	--ignore-dev-dependencies, -p
		Tells the tool to ignore dev dependencies and only fail the build on runtime dependencies which exceed the threshold
		'npm-audit-ci-wrapper -p' or 'npm-audit-ci-wrapper --ignore-dev-dependencies'

	--json, -j
		Do not fail, just output the filtered JSON data which matches the specified threshold/scope (useful in combination with `npm-audit-html`)
		'npm-audit-ci-wrapper --threshold=high -p --json' or 'npm-audit-ci-wrapper -j'

	--registry, -r
		Set an alternate NPM registry server. Useful when your default npm regsitry (i.e. npm config set registry) does not support the npm audit command.
		'npm-audit-ci-wrapper --registry=https://registry.npmjs.org/'

	--whitelist, -w
		Whitelist the given dependency at the specified version or all versions (Can be specified multiple times).
		'npm-audit-ci-wrapper -w https-proxy-agent' or 'npm-audit-ci-wrapper -w https-proxy-agent:*' or 'npm-audit-ci-wrapper --whitelist=https-proxy-agent:1.0.0'

	--version, -v
		Output the version of npm-audit-ci-wrapper and then exit
		'npm-audit-ci-wrapper -v' or 'npm-audit-ci-wrapper --version'

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

10

License

Determines if the project has defined a license.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Security-Policy

Determines if the project has published a security policy.

0

Fuzzing

Determines if the project uses fuzzing.

0

Signed-Releases

Determines if the project cryptographically signs release artifacts.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

0

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

0

SAST

Determines if the project uses static code analysis.

Score

3.1

/10

Last Scanned on 2024-11-25

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More