I have a front-end app with NodeJS and I am trying to make the npm audit break only on high or critical vulnerabilities, so I tried to change the audit-level as specified in the documentation, but it would still return the low vulnerabilities as you can see here
npm set audit-level high
npm config set audit-level high
npm audit
Is there something I am doing wrong?
My npm version is 6.14.5 My NodeJS version is 10.17.0
I know this is an old question, I asked the same question myself so I thought I'd answer to help the next person.
Based on the discussion here, the --audit-level parameter dictates if the npm audit fails (exits with 1) or not (exits with 0). That means, if you specify --audit-level=critical, it will exit with 1 if there is a critical vulnerability, else it will exist with 0. It does not however control/filter the report/output, which I find annoying.
As a work-around, I do this to only output/report the levels I'm concerned with. It is not very elegant but it helps me, if the list of vulnerabilities is so long:
npm audit --parseable | grep high