Use npm audit

The npm audit command scans your project for security vulnerabilities and provides a detailed report of any identified anomaly. Performing security audits is an essential part in identifying and fixing vulnerabilities in the project's dependencies. Fixing these vulnerabilities could prevent things like data loss, service outages, and unauthorized access to sensitive information.

Azure DevOps does not support npm audit, if you try to run the default npm audit command from your pipeline, the task will fail with the following message: Unexpected end of JSON input while parsing....

As a workaround, you can run npm audit with the registry argument --registry=https://registry.npmjs.org/. This will route the npm audit command directly to the public registry.

Warning

Running npm audit will forward all the packages' names from your package.json to the public registry.

Run npm audit from your pipeline

Select the YAML or the classic tab to learn how to run npm audit from you Pipeline.

Add the following task to your yaml pipeline to scan for security vulnerabilities.

steps:
- task: Npm@1
  displayName: 'npm audit'
  inputs:
    command: custom
    customCommand: 'audit --registry=https://registry.npmjs.org/'
  • command: the npm command to run.
  • customCommand: Required when command == custom.

Run npm audit on your development machine

To run npm audit locally, run the following command in an elevated command prompt window:

npm audit --registry=https://registry.npmjs.org/