npm audit: Scan Dependencies in CI
npm audit checks your installed dependencies against the npm advisory database.
In CI, npm audit is a fast security gate. The trick is controlling which severities fail the build so a low-severity advisory does not block every PR.
Common flags
--audit-level=high- only fail on high/critical--omit=dev- ignore devDependencies--json- machine-readable output--production- legacy alias for omit dev
Example in CI
Fail only on high or critical findings so noise does not block merges.
shell
npm audit --audit-level=high --omit=devIn CI
npm audit exits non-zero when findings meet the level, which fails the job. Use --audit-level to tune, and run npm audit fix separately rather than in the gate.
Key takeaways
- Set
--audit-levelso only real risk fails CI. - Use
--omit=devto focus on shipped code. - Keep
audit fixout of the blocking gate.
Related guides
npm audit fix: Auto-Patch Vulnerabilitiesnpm audit fix updates vulnerable dependencies to safe versions. Learn how to use it safely in CI without surp…
npm ci: Clean, Reproducible Installsnpm ci installs exactly what is in package-lock.json, deletes node_modules first, and is the right install co…
npm ls: Inspect the Dependency Treenpm ls prints the installed dependency tree. Use it in CI to debug version conflicts, missing peers, and dupl…