Skip to content
Latchkey

npm audit: Usage, Options & Common CI Errors

Scan your dependency tree for known vulnerabilities.

npm audit sends your dependency tree to the registry advisory service and reports known CVEs by severity. In CI its exit code can gate the build.

What it does

Submits the resolved tree to the configured registry and lists advisories grouped by severity (low to critical), with the affected path and a fix suggestion. It exits non-zero when vulnerabilities at or above the audit level are found.

Common usage

Terminal
npm audit                       # full report
npm audit --audit-level=high    # only fail on high/critical
npm audit --json                # machine-readable
npm audit --omit=dev            # ignore devDependencies

Common CI error: audit fails on low-severity advisories

A security-scan step fails the build on low or moderate advisories that you cannot fix yet. Set --audit-level to the threshold you actually gate on (e.g. high), and scope to production deps with --omit=dev so dev-only advisories do not block releases.

.github/workflows/ci.yml
npm audit --audit-level=high --omit=dev

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →