Use npm Audit

JFrog Artifactory Documentation

JFrog Artifactory
Content Type
User Guide

Artifactory now supports npm audit, allowing you to get vulnerabilities on your npm projects’ dependencies tree.

Audit reports contain information about security vulnerabilities of dependencies and can help fix a vulnerability by providing npm commands and recommendations for further troubleshooting.

This functionality will be enabled by default on npm virtual repositories that aggregate at least one remote repository that supports npm audit. For example, a remote repository that points to or Artifactory Smart Remote repository.

JFrog Xray users with Artifactory Pro X / Enterprise / Enterprise+ license, will get an enhanced audit report that includes security vulnerabilities from Xray's database. When Xray is configured to work with Artifactory, an audit report can be generated from scratch even without connecting to any remote repository.

Users with Read Permission on the npm virtual repository can use the following npm commands:



npm audit

Returns a vulnerability report based on the dependency tree sent by the npm client that is generated by and optionally enhanced by Jfrog Xray.

npm audit fix

Fetches the same report as npm audit and attempts to automatically act upon the recommendations in the report.

npm audit signature

Returns the registry signatures of uploaded packages so you can ensure the integrity of the downloaded packages.

In order to change the source of the npm audit reports, set the npm.default.audit.provider system property (default to your desired audit provider url.