npmazure-devopsazure-pipelinesnpm-audit

Only show critical errors of NPM audit on Azure Pipeline build


I am using NPM audit on my Azure Pipeline build using the following custom command

npm audit --registry=https://registry.npmjs.org/  | Select-String -Pattern  ( "Critical") -Context 0,10

The idea here is that I only want to fail this step if there are any critical issues picked up by the audit.

Using this command locally within the command line works fine. But running it as a custom npm command in the pipeline still results in the full npm audit running and returning some moderate errors which cause the step to fail.

I feel I'm missing some formatting on the command but I'm not sure what it is.

Does any one else have experience of using NPM audit in a pipeline while successfully supressing certain error severities?


Solution

  • The reason the task is failing is not because of what the task is logging, but because npm audit is exiting with a non-zero code, which means a failure.

    I suggest that instead, you add the --audit-level parameter to the npm audit command, to change whether it will finish with failure code or not:

    By default, the audit command will exit with a non-zero code if any vulnerability is found. It may be useful in CI environments to include the --audit-level parameter to specify the minimum vulnerability level that will cause the command to fail. This option does not filter the report output, it simply changes the command's failure threshold.