npmpackage.info

Gathering detailed insights and metrics for npm-audit-report

Other packages similar to npm-audit-report

@netly/npm-audit-markdown

1.2.0

Generate a markdown report for NPM Audit

bpr-npm-audit

1.4.4

Bitbucket Pipelines report for "npm audit".

npm-audit-html

1.5.0

Generate a HTML report for NPM Audit

@dshbuilds/gitlab-npm-audit-parser

1.0.3

NPM Audit parser for GitLab dependency scanning

Gathering detailed insights and metrics for npm-audit-report

npm-audit-report - 6.0.0 | npmpackage.info

npm-audit-report

npm audit security report

6.0.0

NOASSERTION

JavaScript

1.64 kB

168,732,067 6.1

Installations

npm install npm-audit-report

Developer Guide

BETA

Typescript

No

Module System

CommonJS

Min. Node Version

^18.17.0 || >=20.5.0

Node Version

22.8.0

NPM Version

10.8.3 Score

99.7

Supply Chain

87.8

Quality

83.4

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

1

Total

118

Closed

56

Merged

61

Issues

Open

1

Total

22

Closed

21

Releases

v6.0.0

Updated on Sep 05, 2024

v5.0.0

Updated on May 22, 2023

v4.0.0

Updated on Oct 14, 2022

v3.0.0

Updated on Mar 23, 2022

View All 4 releases

Languages

JavaScript

JavaScript (100%)

Developer

npm

Download Statistics

Total Downloads

168,732,067

Last Day

131,470

Last Week

717,058

Last Month

2,811,588

Last Year

32,798,728

GitHub Statistics

NOASSERTION License

35 Stars

184 Commits

18 Forks

22 Watchers

6 Branches

79 Contributors

Updated on Apr 28, 2025

Bundle Size

3.65 kB

Minified

1.64 kB

Minified + Gzipped

Bundlephobia

Maintainers

View All 79 Contributors

Package Meta Information

Latest Version

6.0.0

Package Id

npm-audit-report@6.0.0

Unpacked Size

11.63 kB

Size

4.81 kB

File Count

NPM Version

10.8.3

Node Version

22.8.0

Published on

Sep 05, 2024

Total Downloads

Cumulative downloads

Total Downloads

168,732,067

Last Day

-1.8%

131,470

Compared to previous day

Last Week

11.8%

717,058

Compared to previous week

Last Month

7.8%

2,811,588

Compared to previous month

Last Year

6.1%

32,798,728

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dev Dependencies

@npmcli/eslint-config @npmcli/template-oss chalk tap

npm audit security report

Given a response from the npm security api, render it into a variety of security reports

The response is an object that contains an output string (the report) and a suggested exitCode.

{
  report: 'string that contains the security report',
  exit: 1
}

Basic usage example

This is intended to be used along with @npmcli/arborist's AuditReport class.

'use strict'
const Report = require('npm-audit-report')
const options = {
  reporter: 'json'
}

const arb = new Arborist({ path: '/path/to/project' })
arb.audit().then(report => {
  const result = new Report(report, options)
  console.log(result.output)
  process.exitCode = result.exitCode
})

Break from Version 1

Version 5 and 6 of the npm CLI make a request to the registry endpoint at either the "Full Audit" endpoint at /-/npm/v1/security/audits or the "Quick Audit" endpoint at /-/npm/v1/security/audits/quick. The Full Audit endpoint calculates remediations necessary to correct problems based on the shape of the tree.

As of npm v7, the logic of how the cli manages trees is dramatically rearchitected, rendering much of the remediations no longer valid. Thus, it only fetches the advisory data from the Quick Audit endpoint, and uses @npmcli/arborist to calculate required remediations and affected nodes in the dependency graph. This data is serialized and provided as an "auditReportVersion": 2 object.

Version 2 of this module expects to receive an instance (or serialized JSON version of) the AuditReport class from Arborist, which is returned by arborist.audit() and stored on the instance as arborist.auditReport.

Eventually, a new endpoint may be added to move the @npmcli/arborist work to the server-side, in which case version 2 style audit reports may be provided directly.

options

option	values	default	description
reporter	`install`, `detail`, `json`, `quiet`	`install`	specify which output format you want to use
chalk	`Chalk` instance	required	a Chalk instance to use for colorizing strings. use `new chalk.Instance({ level: 0 })` for no colors
unicode	`true`, `false`	`true`	indicates if unicode characters should be used
indent	Number or String	`2`	indentation for `'json'` report
auditLevel	'info', 'low', 'moderate', 'high', 'critical', 'none'	`low` (ie, exit 0 if only `info` advisories are found)	level of vulnerability that will trigger a non-zero exit code (set to 'none' to always exit with a 0 status code)

No vulnerabilities found.

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Security-Policy

Determines if the project has published a security policy.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

9

License

Determines if the project has defined a license.

8

SAST

Determines if the project uses static code analysis.

1

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/post-dependabot.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release-integration.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:275: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:284: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:304: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-audit-report/release.yml/main?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:41
Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:62
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:45
Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:45
Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:56
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 12 third-party GitHubAction dependencies pinned
Info: 0 out of 8 npmCommand dependencies pinned

Score

6.1

/10

Last Scanned on 2025-05-05

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More