How to check for only high vulnerabilities when using "npm audit"?

Question

When you I execute npm install using new npm 6 i got a messages that tell me I have some vulnerabilities :

[!] 75 vulnerabilities found [4867 packages audited]

Severity: 66 Low | 4 Moderate | 5 High

Run npm audit for more detail

I ran npm audit but got a truncated list of vulnerabilities.

How I can check for only High vulnerabilities list ?

Thanks

reference: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities — qqtf, May 27 '21 at 22:40

neo post modern · Answer 1 · 2020-12-15T20:18:53.613

55

Not the answer you are looking for, but it will do the same:

npm audit | grep -B 1 -A 10 High

edited Dec 15 '20 at 20:18

answered May 13 '18 at 14:37

neo post modern

2,262
18
30

Thank you, But as you said it's not what I'm looking for, Some `High` vulns has a recommendations and this solution omits them. There must be a `param` to `audit` to filter results or at least display them page by page – Wajih May 14 '18 at 05:57
Meanwhile you can try tweaking the `grep` parameters. I think `-B 2` should include the recommendations. – neo post modern May 15 '18 at 10:27
Use `npm audit --json` to show transitive dependencies also instead of just top level dependencies according to ChatGPT / GPT4. – Kevin Wheeler Jun 25 '23 at 15:12

score 44 · Answer 2 · answered Sep 23 '19 at 06:02

44

This one worked for me:

Show High Only

npm audit | grep -E "(High)" -B3 -A10

Show both Critical and High Issues

npm audit | grep -E "(High | Critical)" -B3 -A10

Look at the issue discussion where this solution is proposed.

answered Sep 23 '19 at 06:02

stayingcool

2,324
1
21
24

1

on NPM -v 8.18 use `npm audit | grep -E "high" -B3 -A10` or just `"critical"` instead. – Michahell Dec 20 '22 at 23:11

score 37 · Answer 3 · answered Oct 14 '19 at 17:28

If your are looking to do it in Powershell, just use the following command (Adapted from @stayingcool's answer):

Show High Only

npm audit | Select-String -Pattern "High" -Context 0,10

Show both High and Critical

npm audit | Select-String -Pattern "(High | Critical)" -Context 0,10

Craig Otis · Answer 4 · 2020-08-20T08:08:27.800

8

Edit: I recommend this (better) answer: https://stackoverflow.com/a/58056454/88111

It's not as pretty, but you can do:

npm audit --parseable | grep high

With one additional downside being any package/issue metadata containing "high" will also be printed.

edited Aug 20 '20 at 08:08

answered Oct 15 '19 at 16:50

Craig Otis

31,257
32
136
234

1

Works only if `grep` is available, like in *nix system. – ux.engineer Aug 17 '20 at 07:35
`npm audit` doesn't seem to have a `--parseable` option. – Flimm Dec 31 '21 at 08:30

score 2 · Answer 5 · answered Jan 14 '21 at 10:49

The --audit-level=high flag doesn't change the output of npm audit.

I'm sending this to html for reporting purposes, so looking to clean it up further:

npm audit | grep -E "(High | Critical)" -B3 -A11 --color=always | grep -E '┌|│|├|└' --color=never

But this will lose the title, and the 'found vulnerabilities' at the bottom. I found it simplest to just run npm audit a couple times and get the bits I need appended to a file.

Ended up going with something like this:

npm audit | grep '===' --color=never > temp.txt
npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt
npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt
cat temp.txt

Or as a catchy one liner (lol) that also removes the temp.txt file:

npm audit | grep '=== npm audit' --color=never > temp.txt; npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt; npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt; cat temp.txt; rm temp.txt;

The line is ugly but is working well across a bunch of different repos, provided you only need the output in the terminal.

When outputting to a file, npm audit includes ansi color codes, that can't be turned off. And this is a problem for my reports! Sed can be used to remove them:

sed -i '' $'s,\x1b\\[[0-9;]*[a-zA-Z],,g' temp.txt

score 0 · Answer 6 · answered Sep 04 '19 at 10:50

0

Just to count the High(s):

npm audit | grep 'High' | wc -l | rev

answered Sep 04 '19 at 10:50

Leo Lanese

476
4
5

This seems not to be needed, since `npm install` already lists this overview at the end (and in colour! ;) ) – rubo77 Feb 02 '21 at 09:00

Róman Erme · Answer 7 · 2021-06-24T07:05:28.957

0

Put this line into your audit scripts:

"audit": "level=$(npm audit --parseable | grep -E 'high|critical' | wc -l | rev); [ $level == 0 ] && exit 0"

This code does check the output of npm audit. If there are no high or critical vulnerabilities the process will not exit with error.

edited Jun 24 '21 at 07:05

answered Jun 23 '21 at 13:44

Róman Erme

1
2

Improved. Thanks – Róman Erme Jun 24 '21 at 07:05

score -2 · Answer 8 · answered Apr 16 '19 at 21:22

This package might be what you are looking for:

https://www.npmjs.com/package/audit-filter

It lets you filter by advisory number, which is better than filtering by level.

$ cat .nsprc
{
  "exceptions": [
    "https://npmjs.com/advisories/532",
    "https://npmjs.com/advisories/577"
   ]
}

Couple that with npm config for audit level and you're golden.

How to check for only high vulnerabilities when using "npm audit"?

8 Answers8