Use npm audit
Azure DevOps Services
The npm audit command scans your project for security vulnerabilities and provides a detailed report of any identified anomaly. Performing security audits is an essential part in identifying and fixing vulnerabilities in the project's dependencies. Fixing these vulnerabilities could prevent things like data loss, service outages, and unauthorized access to sensitive information.
Azure DevOps does not support npm audit, if you try to run the default npm audit command from your pipeline, the task will fail with the following message: Unexpected end of JSON input while parsing....
As a workaround, you can run npm audit with the registry argument
--registry=https://registry.npmjs.org/. This will route the npm audit command directly to the public registry.
Running npm audit will forward all the packages' names from your package.json to the public registry.
Run npm audit from your pipeline
Select the YAML or the classic tab to learn how to run npm audit from you Pipeline.
Add the following task to your yaml pipeline to only scan for security vulnerabilities.
steps: - task: Npm@1 displayName: 'npm audit' inputs: command: custom customCommand: 'audit --registry=https://registry.npmjs.org/'
Instead of only scanning, to scan and also attempt to upgrade to non-vulnerable package versions:
steps: - task: Npm@1 displayName: 'npm audit fix' inputs: command: custom customCommand: 'npm audit fix --registry=https://registry.npmjs.org/ --package-lock-only'
- command: the npm command to run.
- customCommand: Required when command == custom.
Run npm audit on your development machine
To run npm audit locally, run the following command in a command prompt window:
npm audit --registry=https://registry.npmjs.org/
To also attempt to upgrade to non-vulnerable package versions:
audit fix --registry=https://registry.npmjs.org/ --package-lock-only