I have a front-end app with NodeJS and I am trying to make the npm audit break only on high or critical vulnerabilities, so I tried to change the audit-level as specified in the documentation, but it would still return the low vulnerabilities as you can see here

npm set audit-level high
npm config set audit-level high
npm audit

Is there something I am doing wrong?

My npm version is 6.14.5 My NodeJS version is 10.17.0

I know this is an old question, I asked the same question myself so I thought I'd answer to help the next person.

Based on the discussion here, the --audit-level parameter dictates if the npm audit fails (exits with 1) or not (exits with 0). That means, if you specify --audit-level=critical, it will exit with 1 if there is a critical vulnerability, else it will exist with 0. It does not however control/filter the report/output, which I find annoying.

As a work-around, I do this to only output/report the levels I'm concerned with. It is not very elegant but it helps me, if the list of vulnerabilities is so long:

npm audit --parseable | grep high

As Frank already mentioned --audit-level only effects to exit code returned by npm audit. If you're looking to simplify the text output, you'll have to parse it yourself. Here's one solution I souped up using npm version 9.6.7's --json flag in conjunction with jq:

npm audit --json | jq '.vulnerabilities[] | select(.severity == "high") | .name'

This just outputs the names of the packages with a "high" vulnerability, but you could play with this however you like to get output that is more useful to you. Remove the | .name from the end of the jq query to see, for example, the entire object that is returned.

On windows, you have to run:

npm audit --json | jq '.vulnerabilities[] | select (.severity == \"critical\")'

On Linux, as J.M Janson told, you can do:

npm audit --json | jq '.vulnerabilities[] | select(.severity == "high") | .name'