• Public
  • Public/Protected
  • All

Class NpmAuditCommand




all: boolean = Option.Boolean(`-A,--all`, false, {description: `Audit dependencies from all workspaces`,})


cwd: undefined | string = Option.String(`--cwd`, {hidden: true})


environment: Environment = Option.String(`--environment`, npmAuditTypes.Environment.All, {description: `Which environments to cover`,validator: t.isEnum(npmAuditTypes.Environment),})


excludes: string[] = Option.Array(`--exclude`, [], {description: `Array of glob patterns of packages to exclude from audit`,})


ignores: string[] = Option.Array(`--ignore`, [], {description: `Array of glob patterns of advisory ID's to ignore in the audit report`,})


json: boolean = Option.Boolean(`--json`, false, {description: `Format the output as an NDJSON stream`,})


recursive: boolean = Option.Boolean(`-R,--recursive`, false, {description: `Audit transitive dependencies as well`,})


severity: Severity = Option.String(`--severity`, npmAuditTypes.Severity.Info, {description: `Minimal severity requested for packages to be displayed`,validator: t.isEnum(npmAuditTypes.Severity),})

Static paths

paths: string[][] = [[`npm`, `audit`],]

Static usage

usage: Usage = Command.Usage({description: `perform a vulnerability audit against the installed packages`,details: `This command checks for known security reports on the packages you use. The reports are by default extracted from the npm registry, and may or may not be relevant to your actual program (not all vulnerabilities affect all code paths).For consistency with our other commands the default is to only check the direct dependencies for the active workspace. To extend this search to all workspaces, use \`-A,--all\`. To extend this search to both direct and transitive dependencies, use \`-R,--recursive\`.Applying the \`--severity\` flag will limit the audit table to vulnerabilities of the corresponding severity and above. Valid values are ${npmAuditUtils.allSeverities.map(value => `\`${value}\``).join(`, `)}.If the \`--json\` flag is set, Yarn will print the output exactly as received from the registry. Regardless of this flag, the process will exit with a non-zero exit code if a report is found for the selected packages.If certain packages produce false positives for a particular environment, the \`--exclude\` flag can be used to exclude any number of packages from the audit. This can also be set in the configuration file with the \`npmAuditExcludePackages\` option.If particular advisories are needed to be ignored, the \`--ignore\` flag can be used with Advisory ID's to ignore any number of advisories in the audit report. This can also be set in the configuration file with the \`npmAuditIgnoreAdvisories\` option.To understand the dependency tree requiring vulnerable packages, check the raw report with the \`--json\` flag or use \`yarn why <package>\` to get more information as to who depends on them.`,examples: [[`Checks for known security issues with the installed packages. The output is a list of known issues.`,`yarn npm audit`,], [`Audit dependencies in all workspaces`,`yarn npm audit --all`,], [`Limit auditing to \`dependencies\` (excludes \`devDependencies\`)`,`yarn npm audit --environment production`,], [`Show audit report as valid JSON`,`yarn npm audit --json`,], [`Audit all direct and transitive dependencies`,`yarn npm audit --recursive`,], [`Output moderate (or more severe) vulnerabilities`,`yarn npm audit --severity moderate`,], [`Exclude certain packages`,`yarn npm audit --exclude package1 --exclude package2`,], [`Ignore specific advisories`,`yarn npm audit --ignore 1234567 --ignore 7654321`,]],})



  • execute(): Promise<0 | 1>

Generated using TypeDoc