XRAY: How to use Xray's data and perform a NPM audit and NPM audit fix

XRAY: How to use Xray's data and perform a NPM audit and NPM audit fix
Products
JFrog_Xray
Content Type
Administration_Platform
AuthorFullName__c
Elumalai Ganesan
articleNumber
000006530
FirstPublishedDate
2025-07-21T11:49:19Z
lastModifiedDate
2025-07-21
VersionNumber
1
Introduction 

In this knowledge base article, we will explore how to leverage Xray’s data to conduct an audit of your NPM project when integrated with Artifactory.

By default, the npm audit command retrieves data from the public URL https://github.com/advisories/ to identify vulnerabilities within your project.

If you are operating in a restricted environment or prefer not to connect to the public URL while utilizing Xray’s accurate and enriched data, you can use the jf audit command. This command allows you to perform a scan and obtain precise vulnerability insights via Xray.

To achieve this, please follow the steps outlined below:
  1. Download the JF CLI executable and configure it with your Artifactory instance
  2. Set up a Remote or Virtual NPM repository using the jf npmc command.
  3. Navigate to your NPM project folder and execute the jf audit command. You can also apply your policies, watches, and other options during this process.
  4. To remediate any identified vulnerabilities, run jf npm audit fix --force rather than npm audit fix. This command utilizes Xray’s data to identify and resolve the exact versions of vulnerabilities.
As of Xray version 3.102.x, Xray no longer provides enrichment for npm audit. To check for vulnerabilities using Xray from the command line, please use the jf audit command. By following these steps, you can conduct an audit of your NPM project with Xray’s enriched data, incorporating features such as policies and watches—especially in scenarios where you prefer not to connect with the public URL https://github.com/advisories/ .