Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add --audit-level param #159

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions doc/cli/npm-audit.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@ npm-audit(1) -- Run a security audit

## SYNOPSIS

npm audit [--json|--parseable]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
npm audit fix [--force|--package-lock-only|--dry-run]

common options: [--production] [--only=(dev|prod)]

## EXAMPLES

Expand Down Expand Up @@ -60,6 +62,11 @@ To parse columns, you can use for example `awk`, and just print some of them:
$ npm audit --parseable | awk -F $'\t' '{print $1,$4}'
```

Fail an audit only if the results include a vulnerability with a level of moderate or higher:
```
$ npm audit --audit-level=moderate
```

## DESCRIPTION

The audit command submits a description of the dependencies configured in
Expand All @@ -74,6 +81,12 @@ runs a full-fledged `npm install` under the hood, all configs that apply to the
installer will also apply to `npm install` -- so things like `npm audit fix
--package-lock-only` will work as expected.

By default, the audit command will exit with a non-zero code if any vulnerability
is found. It may be useful in CI environments to include the `--audit-level` parameter
to specify the minimum vulnerability level that will cause the command to fail. This
option does not filter the report output, it simply changes the command's failure
threshold.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tangential - should the underlying option also alter output or should that behavior be introduced under a different parameter?

## CONTENT SUBMITTED

* npm_version
Expand Down