NPM 감사란 무엇입니까?

npm audit is a built-in security feature, that scans your project for security vulnerabilities. It provides an assessment report that contains details of the identified anomalies, potential fixes, and more.

npm audit offers the following advantages:

• Big community of open source contributors, who endeavor to find and address vulnerabilities in npm packages.
• Identifies the security issues clearly and labels them in terms of the level of severity.
• If a fix has been published, it provides an out-of-the-box option for resolving the discovered anomalies.

Ensure you have npm v6 or higher installed, by typing in your shell:

npm -v

If you have to upgrade run the following command to update to the latest version:

npm install npm@latest –g

Whenever you install a package via npm, npm install , the npm audit command will automatically in the background and output the security report after successful installing the dependencies.

If you want to run it manually, just go to the src folder of your project and use the command:

npm audit

The npm audit command requires a package-lock.json and, a package.json to be present.

The audit report will be printed in the console. If you want the report in JSON format, run:

npm audit --json

You can also specify the audit result to contain a certain level of severity, for example only critical results

npm audit --audit-level=critical

The full synopsis of npm audit is:

npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]

Take security serious and always check the report and take action as indicated.

If vulnerabilities were found, you have two options:

• Apply the suggested fix automatically
• Take manual actions to fix them

1) Apply the suggested fix automatically. If you want npm to automatically fix the vulnerabilities, run npm audit fix . Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review. There will be additional output in the console.

Configs: npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install. Commands like npm audit fix --package-lock-only will work as expected.

If the update requires moving to a major version, then you’ll need to add the force flag:

npm audit fix --force

2) Take manual actions: If there are no patches for the identified issues, the security audit report will give you more details on how to carry out manual investigations to address them.

You can take any of the following actions to resolve the vulnerabilities:

• Look for mitigating factors: In some limited cases, you may continue consuming the package even when the weakness is still existing. For instance, the security risk may only be present on certain operating systems.
• Update dependent packages: If a fix has been released, but the packages that depend on the vulnerable package have not been amended to reference the patched version, it may be necessary to undertake some manual interventions. You can start by locating the package, that should be updated by looking at the Path field on the security audit report. This will let you locate the vulnerable package, update the reference to the vulnerable package and, this may solve the security issue.
• Fix the vulnerability yourself: If a patch has not been released and nobody is working on it, fix it yourself and submit a pull request.

npm audit is a very useful feature that can enhance the security of your code, you can identify vulnerabilities and get actionable instructions on how to get rid of the risks.

Thanks for reading and if you have any questions , use the comment function or send me a message .