Use npm audit with Azure Artifacts - Azure Artifacts

link之家

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

考研的蚂蚁 · 阅文收购腾讯动漫背后的三点思考_手机新浪网· 1 月前 ·

果断的大脸猫 · 【原神同人】克莱与史莱姆，假的！！！_哔哩哔 ...· 4 月前 ·

很酷的手套 · hexo-github安装过程记录_小狐狸钱 ...· 6 月前 ·

神勇威武的杨桃 · 严重违法广告案例分析——知蜂堂蜂胶· 8 月前 ·

一身肌肉的莲藕 · 国家铁路局科技与法制司长严贺祥任铁路总工程师 ...· 11 月前 ·

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Azure DevOps Services

The npm audit command scans your project for security vulnerabilities and provides a detailed report of any identified anomaly. Performing security audits is an essential part in identifying and fixing vulnerabilities in the project's dependencies. Fixing these vulnerabilities could prevent things like data loss, service outages, and unauthorized access to sensitive information.

Azure DevOps does not support npm audit , if you try to run the default npm audit command from your pipeline, the task will fail with the following message: Unexpected end of JSON input while parsing... .

As a workaround, you can run npm audit with the registry argument --registry=https://registry.npmjs.org/ . This will route the npm audit command directly to the public registry.

Warning

Running npm audit will forward all the packages' names from your package.json to the public registry.

Run npm audit from your pipeline

Select the YAML or the classic tab to learn how to run npm audit from you Pipeline.

Classic

Add the following task to your yaml pipeline to only scan for security vulnerabilities.

steps:
- task: Npm@1
  displayName: 'npm audit'
  inputs:
    command: custom
    customCommand: 'audit --registry=https://registry.npmjs.org/'
Instead of only scanning, to scan and also attempt to upgrade to non-vulnerable package versions:
steps:
- task: Npm@1
  displayName: 'npm audit fix'
  inputs:
    command: custom
    customCommand: 'npm audit fix --registry=https://registry.npmjs.org/ --package-lock-only'
command: the npm command to run.
customCommand: Required when command == custom.
Search for the npm task. Select Add to add it to your agent job.
Fill out the required fields as follows:
To only scan for security vulnerabilities use this command:
audit --registry=https://registry.npmjs.org/
To also attempt to upgrade to non-vulnerable package versions:
audit fix --registry=https://registry.npmjs.org/ --package-lock-only
Run npm audit on your development machine
To run npm audit locally, run the following command in a command prompt window:
npm audit --registry=https://registry.npmjs.org/
To also attempt to upgrade to non-vulnerable package versions:
audit fix --registry=https://registry.npmjs.org/ --package-lock-only
Related articles
npm quickstart.
Publish npm packages with Azure Pipelines.
Artifacts storage consumption
Delete and recover packages.