One of the newest features available in the latest JFrog Artifactory version 6.10 release, is support for npm audit.
What is npm audit?
The npm audit command generates an audit report that provides a summary of all known security vulnerabilities in your npm packages and dependencies. It also provides npm commands and recommendations that will fix these vulnerabilities once they are applied. Moreover, the ‘npm audit fix’ command will even attempt to apply these recommendations automatically when possible. The security information is retrieved from an npm audit information provider such as npmjs.org.
More about Audit Reports
The audit report contains tables of information, each table describes a specific security vulnerability that was found in your dependency tree. The tables include information on the severity level, affected package, any dependency that it may have, its path, a link to more info about the vulnerability, and a fix version (a range of versions that contain a patch for this vulnerability or do not include the vulnerability at all). To fix these security vulnerabilities, you can run the npm audit fix command, which will fetch the same report as npm audit and attempt to automatically act upon the recommendations in the report.
Artifactory npm Audit support
From this release, Artifactory users can now run the npm command on a virtual npm repository, that aggregate at least one remote repository which supports npm audit. For example, a virtual repository that has a remote repository which points to https://registry.npmjs.org or Artifactory Smart Remote repository. If your Artifactory instance is connected to JFrog Xray, then the generated report will be enhanced to also contain the security vulnerabilities from Xray’s database. This enables npm and Xray users to benefit from both the npmjs and Xray database.
Additionally, when Xray is configured to work with Artifactory, an npm audit report can also be generated from scratch even without connecting to any remote repository. Learn more about how Xray can scan and find vulnerabilities in all major package formats, as part of your DevSecOps practices.
See the Artifactory v 6.10 release notes for a complete list of all new features and fixed issues.