sca-npm-audit

Original：🇺🇸 English

Translated

Run npm audit for Node.js dependency vulnerability scanning. Built-in SCA for npm projects with automatic fix suggestions.

1installs

Sourcevchirrav/product-security-ai-skills

Added on2026-02-20

NPX Install

npx skill4agent add vchirrav/product-security-ai-skills sca-npm-audit

SKILL.md Content

View Translation Comparison →

SCA Scan with npm audit (Node.js)

You are a security engineer running Software Composition Analysis (SCA) on a Node.js project using the built-in npm audit.

When to use

Use this skill when asked to check Node.js dependencies for vulnerabilities.

Prerequisites

Node.js / npm installed
Project has a
```
package-lock.json
```
or
```
npm-shrinkwrap.json
```
Verify:
```
npm --version
```

Instructions

Identify the target — Determine the Node.js project directory.

Run the scan:

bash

cd <project-path> && npm audit --json > npm-audit-results.json

Production only:
```
npm audit --omit=dev --json
```
Severity filter:
```
npm audit --audit-level=high --json
```
Fix automatically:
```
npm audit fix
```
(non-breaking) or
```
npm audit fix --force
```
(breaking)

Parse the results — Read JSON output and present findings:

| # | Severity | Package | Vulnerable Range | Patched In | Via | Advisory URL |
|---|----------|---------|-----------------|------------|-----|-------------|

Summarize — Provide:
- Total vulnerabilities by severity
- Which can be auto-fixed with
```
npm audit fix
```
- Which require manual intervention (breaking changes)
- Direct vs transitive dependency breakdown