How to check for only high vulnerabilities when using "npm audit"?
node.jsNpmNpm Auditnode.js Problem Overview
When you I execute npm install using new npm 6
i got a messages that tell me I have some vulnerabilities :
> [!] 75 vulnerabilities found [4867 packages audited]
>
> Severity: 66 Low | 4 Moderate | 5 High
>
> Run npm audit for more detail
I ran npm audit but got a truncated list of vulnerabilities.
How I can check for only High vulnerabilities list ?
Thanks
node.js Solutions
Solution 1 - node.js
Not the answer you are looking for, but it will do the same:
npm audit | grep -B 1 -A 10 High
Solution 2 - node.js
This one worked for me:
Show High Only
npm audit | grep -E "(High)" -B3 -A10
Show both Critical and High Issues
npm audit | grep -E "(High | Critical)" -B3 -A10
Look at the issue discussion where this solution is proposed.
Solution 3 - node.js
If your are looking to do it in Powershell, just use the following command (Adapted from @stayingcool's answer):
Show High Only
npm audit | Select-String -Pattern "High" -Context 0,10
Show both High and Critical
npm audit | Select-String -Pattern "(High | Critical)" -Context 0,10
Solution 4 - node.js
Edit: I recommend this (better) answer: https://stackoverflow.com/a/58056454/88111
It's not as pretty, but you can do:
npm audit --parseable | grep high
With one additional downside being any package/issue metadata containing "high" will also be printed.
Solution 5 - node.js
The --audit-level=high flag doesn't change the output of npm audit.
I'm sending this to html for reporting purposes, so looking to clean it up further:
npm audit | grep -E "(High | Critical)" -B3 -A11 --color=always | grep -E '┌|│|├|└' --color=never
But this will lose the title, and the 'found vulnerabilities' at the bottom. I found it simplest to just run npm audit a couple times and get the bits I need appended to a file.
Ended up going with something like this:
npm audit | grep '===' --color=never > temp.txt
npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt
npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt
cat temp.txt
Or as a catchy one liner (lol) that also removes the temp.txt file:
npm audit | grep '=== npm audit' --color=never > temp.txt; npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt; npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt; cat temp.txt; rm temp.txt;
The line is ugly but is working well across a bunch of different repos, provided you only need the output in the terminal.
When outputting to a file, npm audit includes ansi color codes, that can't be turned off. And this is a problem for my reports! Sed can be used to remove them:
sed -i '' $'s,\x1b\\[[0-9;]*[a-zA-Z],,g' temp.txt
Solution 6 - node.js
Just to count the High(s):
npm audit | grep 'High' | wc -l | rev
Solution 7 - node.js
Put this line into your audit scripts:
"audit": "level=$(npm audit --parseable | grep -E 'high|critical' | wc -l | rev); [ $level == 0 ] && exit 0"
This code does check the output of npm audit. If there are no high or critical vulnerabilities the process will not exit with error.
Solution 8 - node.js
This package might be what you are looking for:
https://www.npmjs.com/package/audit-filter
It lets you filter by advisory number, which is better than filtering by level.
$ cat .nsprc
{
"exceptions": [
"https://npmjs.com/advisories/532",
"https://npmjs.com/advisories/577"
]
}
Couple that with npm config for audit level and you're golden.