npm audit and Dependency Security: A Complete Guide

npm audit is a built-in command in the npm CLI that scans your project's dependency tree against the GitHub Advisory Database for known vulnerabilities. When you run npm audit, it compares every installed package and version in package-lock.json against a database of reported CVEs and security advisories.

The command reports vulnerabilities by severity level—critical, high, moderate, and low—along with the affected package, the vulnerable version range, and whether a patched version is available. Running npm audit fix attempts to resolve vulnerabilities by updating to the nearest semver-compatible patched version.

For many teams, npm audit is the first line of defense in dependency security. It is integrated into the npm install workflow and can be added to CI/CD pipelines with npm audit --audit-level=high to fail builds when high-severity vulnerabilities are present. However, npm audit only covers known vulnerabilities with published advisories—it cannot detect zero-day exploits, malicious packages, or typosquatting attacks.

An npm audit report groups findings by severity and provides remediation paths:

# Example npm audit output
found 3 vulnerabilities (1 moderate, 2 high)
  run `npm audit fix` to fix 2 of them
  1 vulnerability requires manual review

Severity Levels

• Critical: Remote code execution, credential exposure, or data exfiltration. Requires immediate action.
• High: Significant risk such as authentication bypass or privilege escalation. Should be resolved before deployment.
• Moderate: Requires specific conditions to exploit, such as user interaction or unusual configurations.
• Low: Minimal risk, often theoretical or requiring local access.

Limitations of npm audit fix

npm audit fix can only update packages within their semver range. When a fix requires a major version bump, npm audit fix --force is needed—but this can introduce breaking changes. Transitive dependencies (dependencies of your dependencies) are often the hardest to resolve because you do not control their version constraints.

Additionally, npm audit relies entirely on the advisory database. If a vulnerability has not been reported and assigned a CVE, npm audit will not flag it. This creates a blind spot for zero-day vulnerabilities and intentionally malicious packages that have not yet been discovered.

npm audit is a reactive tool: it detects known vulnerabilities after they are reported. Modern supply chain attacks exploit the gaps that advisory-based scanning cannot cover:

• Malicious packages: Packages published with intentional backdoors, credential stealers, or cryptominers. These are not "vulnerable"—they are malware. The event-stream incident (2018) injected a cryptocurrency-stealing payload through a compromised dependency, affecting millions of downloads before discovery.
• Typosquatting: Attackers publish packages with names similar to popular libraries (lodahs instead of lodash, crossenv instead of cross-env). A single typo in package.json installs the attacker's package. npm audit does not check for this.
• No SBOM generation: Compliance frameworks like SOC 2, FedRAMP, and the EU Cyber Resilience Act increasingly require a Software Bill of Materials. npm audit cannot produce one.

These blind spots mean that teams relying solely on npm audit have an incomplete picture of their dependency risk.

CodeSlick extends dependency security beyond what advisory databases cover:

• Malicious package detection: Identifies 66 known malicious packages with OSV.dev integration, catching backdoors and cryptominers that npm audit misses entirely
• Typosquatting alerts: Flags packages with names suspiciously similar to popular libraries, catching supply chain attacks before they execute
• SBOM generation: Produces SPDX 2.3 and CycloneDX 1.4 documents for compliance requirements
• Dependency scanning: Covers npm, pip, Maven, and Go modules in a single scan

CodeSlick runs in under 3 seconds on every pull request via the GitHub App, on every commit via the CLI pre-commit hook, or on-demand in the web scanner.