[go: up one dir, main page]

Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.
/ aud Public archive

Use `npx aud` instead of `npm audit`, whether you have a lockfile or not!

License

Notifications You must be signed in to change notification settings

ljharb/aud

Repository files navigation

END OF LIFE

Thanks to the wonderful folks at npm, in npm v10.2+, after 6 years, npm audit no longer requires a lockfile!

Therefore, you should no longer use aud. Instead, use npx npm@'>=10.2' audit --production.


aud Version Badge

License Downloads

npm badge

Use npx aud instead of npm audit, whether you have a lockfile or not!

It's a great idea to run npm audit in CI; it ensures that you don't unknowingly have vulnerabilities in your dep graph.

Unfortunately, it doesn't work without a lockfile 😿 and only apps should have lockfiles. It also requires npm v6 or above.

Now, instead of npm audit, you can run npx aud! If your repo has a lockfile, it will just run npm audit; if it does not, it will use npm-lockfile to copy your package.json and your currently configured audit level (npm config get audit-level) to a temp dir that has the proper version of npm installed, it will use npm install --package-lock-only to create a temporary lockfile, and it will run npm audit there. On exit, all the temp dirs will get cleaned up.

aud fix without a lockfile present will throw npm audit's normal "no lockfile" error, since there's no way to preserve fixes to transitive dependencies.

About

Use `npx aud` instead of `npm audit`, whether you have a lockfile or not!

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks