npx aud instead of
npm audit, whether you have a lockfile or not!
It's a great idea to run
npm audit in CI; it ensures that you don't unknowingly have vulnerabilities in your dep graph.
Unfortunately, it doesn't work without a lockfile
v6 or above.
Now, instead of
npm audit, you can run
npx aud! If your repo has a lockfile, it will just run
npm audit; if it does not, it will use
npm-lockfile to copy your
package.json and your currently configured audit level (
npm config get audit-level) to a temp dir that has the proper version of npm installed, it will use
npm install --package-lock-only to create a temporary lockfile, and it will run
npm audit there. On exit, all the temp dirs will get cleaned up.
aud fix without a lockfile present will throw
npm audit's normal "no lockfile" error, since there's no way to preserve fixes to transitive dependencies.