Intro
npm audit
is great but...
- there's no way to whitelist advisories so you don't see them again, and
- if you run it all the time (eg: as part of CI) it'll block you.
Usage
- Run
npx @medic/audit-dependencies audit
. This will runnpm audit
. If you have any advisories, either fix them, or add the IDs to thepermitted
array in the.auditrc.json
file, then runaudit
again. - In your CI add a step for
npx @medic/audit-dependencies check
. This will check yourpackage-lock.json
against the one that's been verified and fail if it's changed.