This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Azure DevOps Services

The npm audit command scans your project for security vulnerabilities and provides a detailed report of any identified anomaly. Performing security audits is an essential part in identifying and fixing vulnerabilities in the project's dependencies. Fixing these vulnerabilities could prevent things like data loss, service outages, and unauthorized access to sensitive information.

Azure DevOps does not support npm audit , if you try to run the default npm audit command from your pipeline, the task will fail with the following message: Unexpected end of JSON input while parsing... .

As a workaround, you can run npm audit with the registry argument --registry=https://registry.npmjs.org/ . This will route the npm audit command directly to the public registry.

Warning

Running npm audit will forward all the packages' names from your package.json to the public registry.

Run npm audit from your pipeline

Select the YAML or the classic tab to learn how to run npm audit from you Pipeline.

Classic

Add the following task to your yaml pipeline to only scan for security vulnerabilities.

steps:
- task: Npm@1
  displayName: 'npm audit'
  inputs:
    command: custom
    customCommand: 'audit --registry=https://registry.npmjs.org/'

Instead of only scanning, to scan and also attempt to upgrade to non-vulnerable package versions:

steps:
- task: Npm@1
  displayName: 'npm audit fix'
  inputs:
    command: custom
    customCommand: 'npm audit fix --registry=https://registry.npmjs.org/ --package-lock-only'
  • command: the npm command to run.
  • customCommand: Required when command == custom.
  • Search for the npm task. Select Add to add it to your agent job.

  • Fill out the required fields as follows:

  • To only scan for security vulnerabilities use this command:
  • audit --registry=https://registry.npmjs.org/
    
  • To also attempt to upgrade to non-vulnerable package versions:
  • audit fix --registry=https://registry.npmjs.org/ --package-lock-only
    

    Run npm audit on your development machine

    To run npm audit locally, run the following command in a command prompt window:

    npm audit --registry=https://registry.npmjs.org/
    

    To also attempt to upgrade to non-vulnerable package versions:

    audit fix --registry=https://registry.npmjs.org/ --package-lock-only
    
    
  • npm quickstart.
  • Publish npm packages with Azure Pipelines.
  • Artifacts storage consumption
  • Delete and recover packages.
  •