How to Use an npm REST API to Get npm Audit Results

Introduction

Npm has a tool called npm audit, which reports if your packages or libraries have any known vulnerabilities on them or not. This is an excellent initiative from npm.

This is a great security threat in which your application can be hacked or vulnerable if your application is using a 3rd-party library that has a known vulnerability on it. Even if your app does not have a security issue, your whole system is vulnerable due to that 3rd-party library. It is one of the top 10 Owasp Security threats.

In this post, we will see the following:

• How to use it via REST API
• You don’t need to install a package before using npm audit
• No need to run npm audit command
• Check vulnerability information about any npm package without installing it

How npm Audit Works Internally

It requires your package.json and package-lock.json file. It reads some meta-information from these files and submits it to their web servers via REST APIs. The web server then returns the response and indicates if any library has vulnerable information in it or not.

So, when you run npm audit on the home directory of your project, it prepares some data and sends it to its web server.

npm audit uses a module, npm-registry-fetch, which exposes some methods to call those REST APIs. However, you will not find its documentation anywhere. I just found it while looking at the GitHub code of npm.

Rest API for Getting npm Audit Information

URL: /-/npm/v1/security/audits
Host: registry.npmjs.org
Port: 443
HttpMethod: POST

It has a post body that looks like:

{
    "name": "npm_audit_test",
    "version": "1.0.0",
    "requires": {
        "marked": "^0.6.3"
    },
    "dependencies": {
        "marked": {
            "version": "0.6.3",
            "integrity": "sha1-ebq614r2OLpNUiqecVzf3SQp6UY=234"
        }
    }
}

So, the good thing is that you don't need to have package.json or package-lock.json file. You can just call this API and can get a result. You can see above that it is sending some hash integrity in POST body, but you can remove that as well.

Let's look at the fully functional code.

Code to Fetch Audit Data

Here, I have used a nonexistent name — npm_audit_test — and any version of my project. It can be anything. And I’m using a dependency package: marked.

const regFetch = require('npm-registry-fetch');

const auditData = {
    "name": "npm_audit_test",
    "version": "1.0.0",
    "requires": {
        "marked": "^0.6.3"
    },
    "dependencies": {
        "marked": {
            "version": "0.6.3",
            "integrity": "sha1-ebq614r2OLpNUiqecVzf3SQp6UY=234"
        }
    }
};

let opts = {
    "color":true,
    "json":true,
    "unicode":true,
    method: 'POST',
    gzip: true,
    body: auditData
};

return regFetch('/-/npm/v1/security/audits', opts)
    .then(res => {
        return res.json();
    })
    .then(res => {
        console.log(JSON.stringify(res, "", 3));
  }).catch(err => console.error(err));

So, the solution that is presented above doesn’t require you to install your packages. You can just pass any package name and you are done.

If you have any questions, feel free to comment.

Further Reading

The License and Security Risks of Using Node.js