Skip to content
Latchkey

npm audit: Scan Dependencies in CI

npm audit checks your installed dependencies against the npm advisory database.

In CI, npm audit is a fast security gate. The trick is controlling which severities fail the build so a low-severity advisory does not block every PR.

Common flags

  • --audit-level=high - only fail on high/critical
  • --omit=dev - ignore devDependencies
  • --json - machine-readable output
  • --production - legacy alias for omit dev

Example in CI

Fail only on high or critical findings so noise does not block merges.

shell
npm audit --audit-level=high --omit=dev

In CI

npm audit exits non-zero when findings meet the level, which fails the job. Use --audit-level to tune, and run npm audit fix separately rather than in the gate.

Key takeaways

  • Set --audit-level so only real risk fails CI.
  • Use --omit=dev to focus on shipped code.
  • Keep audit fix out of the blocking gate.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →