How to check for only high vulnerabilities when using "npm audit"?
Solution 1
Not the answer you are looking for, but it will do the same:
npm audit | grep -B 1 -A 10 High
Solution 2
This one worked for me:
Show High Only
npm audit | grep -E "(High)" -B3 -A10
Show both Critical and High Issues
npm audit | grep -E "(High | Critical)" -B3 -A10
Look at the issue discussion where this solution is proposed.
Solution 3
If your are looking to do it in Powershell, just use the following command (Adapted from @stayingcool's answer):
Show High Only
npm audit | Select-String -Pattern "High" -Context 0,10
Show both High and Critical
npm audit | Select-String -Pattern "(High | Critical)" -Context 0,10
Solution 4
Edit: I recommend this (better) answer: https://stackoverflow.com/a/58056454/88111
It's not as pretty, but you can do:
npm audit --parseable | grep high
With one additional downside being any package/issue metadata containing "high"
will also be printed.
Solution 5
The --audit-level=high
flag doesn't change the output of npm audit.
I'm sending this to html for reporting purposes, so looking to clean it up further:
npm audit | grep -E "(High | Critical)" -B3 -A11 --color=always | grep -E '┌|│|├|└' --color=never
But this will lose the title, and the 'found vulnerabilities' at the bottom. I found it simplest to just run npm audit a couple times and get the bits I need appended to a file.
Ended up going with something like this:
npm audit | grep '===' --color=never > temp.txt
npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt
npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt
cat temp.txt
Or as a catchy one liner (lol) that also removes the temp.txt file:
npm audit | grep '=== npm audit' --color=never > temp.txt; npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt; npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt; cat temp.txt; rm temp.txt;
The line is ugly but is working well across a bunch of different repos, provided you only need the output in the terminal.
When outputting to a file, npm audit includes ansi color codes, that can't be turned off. And this is a problem for my reports! Sed can be used to remove them:
sed -i '' $'s,\x1b\\[[0-9;]*[a-zA-Z],,g' temp.txt
Wajih
Updated on June 24, 2021Comments
-
Wajih almost 3 years
When you I execute
npm install
using new npm 6 i got a messages that tell me I have some vulnerabilities :[!] 75 vulnerabilities found [4867 packages audited]
Severity: 66 Low | 4 Moderate | 5 High
Run
npm audit
for more detailI ran
npm audit
but got a truncated list of vulnerabilities.How I can check for only High vulnerabilities list ?
Thanks
-
Wajih about 6 yearsThank you, But as you said it's not what I'm looking for, Some
High
vulns has a recommendations and this solution omits them. There must be aparam
toaudit
to filter results or at least display them page by page -
neo post modern about 6 yearsMeanwhile you can try tweaking the
grep
parameters. I think-B 2
should include the recommendations. -
ux.engineer almost 4 yearsWorks only if
grep
is available, like in *nix system. -
James McMahon over 3 yearsThis option is built into npm now, see stackoverflow.com/a/64312068/20774
-
rubo77 over 3 yearsThis seems not to be needed, since
npm install
already lists this overview at the end (and in colour! ;) ) -
Róman Erme almost 3 yearsImproved. Thanks
-
Flimm over 2 years
npm audit
doesn't seem to have a--parseable
option.