npm audit: Usage, Options & Common CI Errors
Scan your dependency tree for known vulnerabilities.
npm audit sends your dependency tree to the registry advisory service and reports known CVEs by severity. In CI its exit code can gate the build.
What it does
Submits the resolved tree to the configured registry and lists advisories grouped by severity (low to critical), with the affected path and a fix suggestion. It exits non-zero when vulnerabilities at or above the audit level are found.
Common usage
npm audit # full report
npm audit --audit-level=high # only fail on high/critical
npm audit --json # machine-readable
npm audit --omit=dev # ignore devDependenciesCommon CI error: audit fails on low-severity advisories
A security-scan step fails the build on low or moderate advisories that you cannot fix yet. Set --audit-level to the threshold you actually gate on (e.g. high), and scope to production deps with --omit=dev so dev-only advisories do not block releases.
npm audit --audit-level=high --omit=dev