npm-audit, npm-bin and npm-bug

In the previous tutorial we looked at the npm-adduser and npm-access cli options. This tutorial will examine the workings of npm-audit, npm-bin and npm-bug cli options.


The npm-audit is used to run security audit for a project or package.


npm audit [--json|--parseable]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]


To scan your project for vulnerabilities and install any compatible updates to vulnerable dependencies you will need to run the command below:

$ npm audit fix

If you want to run audit fix without modifying the node_modules folder, and still update the pkglock, run the command below:

$ npm audit fix --package-lock-only

To skip the update of devDependencies:

$ npm audit fix --only=prod

To have audit fix install semver-major updates to toplevel dependencies, and not just semver-compatible ones run:

$ npm audit fix -force

If you want to perform a dry run to get an idea of what audit fix will do, and output install information JSON format as well, run:

$ npm audit fix --dry-run -json

If you want to scan your project for vulnerabilities, showing the details but not fixing anything, run:

$ npm audit

To get a detailed audit report in JSON format, run:

$ npm audit -json

To get a detailed audit report that is in plain text, and separated by tab characters, which can be reused in the future for scripting and command line post processing, such as selecting some of the columns printed, run:

$ npm audit -parseable

Finally, to parse columns, you can use awk for example, and then just print some of them:

$ npm audit --parseable | awk -F $'\t' '{print $1,$4}


The audit command will submit a description of the dependencies configured in your project to your default registry and will ask for a report of known vulnerabilities. The report returned usually includes instructions on how to act on this information.

You can equally have npm automatically fix the vulnerabilities by running npm audit fix. Note that it is not all vulnerabilities that can be fixed automatically and some will require manual intervention or review. It should also be noted that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer also applies to npm install -- Hence things like npm audit fix --package-lock-only will work as expected.


  • npm_version
  • node_version
  • platform
  • node_env
  • A scrubbed version of npm-shrinkwrap.json or your package-lock.json


In order to ensure that potentially sensitive information will not be included in the audit data bundle, some dependencies might have their names (and sometimes versions) replaced with opaque non-reversible identifiers. This is done for the following dependency types:

  • Any module referencing a scope that was configured for a non-default registry has its name scrubbed. (That is, a scope which you did a npm login --scope=@ourscope for.)
  • All git dependencies will have their names and specifiers scrubbed.
  • All remote tarball dependencies will have their names and specifiers scrubbed.
  • All local directory and tarball dependencies will have their names and specifiers scrubbed.
  • '

The non-reversible identifiers are usually a sha256 of a session-specific UUID and the value that is being replaced, ensuring a consistent value within the payload that will be different between runs.


This command displays the bin folder.


npm bin [-g|--global]


This command will print the folder where npm will install executables.


This cli option shows the bugs that might exist for a package.


npm bugs [<pkgname>]

aliases: issues


This command will try to guess at the likely location of a package's bug tracker URL, and then tries to open the package using the --browser config param. If you don't provide a package name, it searches for a package.json in the current folder and use the name property.



  • Default: OS X: "open", Windows: "start", Others: "xdg-open"
  • Type: String

This is the browser that is called by the npm bugs command to open websites.


  • Default: https://registry.npmjs.org/
  • Type: url

This is the base URL of the npm package registry.

Next: The build, bundle and cache commands

Follow us on Facebook and Twitter for latest update.