npm audit Shows 47 Critical Vulnerabilities. Here Is Which Ones Actually Need Fixing.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
npm audit reports are designed to surface every known vulnerability in your dependency tree, regardless of whether those vulnerabilities are reachable from your application code. The result is high-severity findings that carry no practical risk sitting next to lower-severity findings that are actively exploitable in your production environment.
The tool is correct. The reported vulnerabilities exist. What the tool does not tell you is which ones matter for your specific application, which ones are only present in test utilities that never ship, and which ones require an attacker to control an input that your code never accepts from external sources.
The three-question decision framework below handles 95% of npm audit triage decisions without requiring deep security expertise.
The Three-Question Decision Framework
Run npm audit --json to get structured output. The JSON format gives you the fields you need to answer each question without parsing prose output.
Question 1: Is this package in devDependencies or dependencies?
In npm audit --json, look at the nodes array for each finding. Trace the affected package back through the dependency chain. If the root of the chain is a devDependency in your package.json, this package does not ship in your production build unless your build process explicitly bundles dev deps (rare and a separate problem).
DevDependency vulnerabilities that do not run in CI/CD pipelines with access to production secrets or sensitive data carry near-zero risk. Document them, set a reminder to fix them when a compatible patch arrives, and move on.
Exception: if the devDependency runs in a CI/CD pipeline that has access to production credentials, repository secrets, or deployment infrastructure, treat it as production-equivalent.
Question 2: Does your code reach the vulnerable function?
This is the reachability question. Most high-severity npm audit findings exploit a specific function within the vulnerable package. If your code calls the package but never invokes the vulnerable function, the vulnerability is unexploitable from your application.
The via field in npm audit --json output names the specific vulnerability within the package. Cross-reference this against the GitHub Advisory Database entry for the CVE: it identifies which function is affected. Then search your codebase for calls to that function through the affected package. If there are none, the vulnerability is unreachable.
Question 3: Is there a fix available without breaking changes?
The fixAvailable field in npm audit --json tells you whether npm audit fix can resolve the issue. If fixAvailable: true, run npm audit fix in a branch, run your test suite, and deploy the fix. This should take under 30 minutes for most projects.
If fixAvailable: { name, version, isSemVerMajor: true }, a fix exists but it is a major version bump that may include breaking changes. This requires dedicated testing. Schedule it as a dependency upgrade, not an emergency patch.
What Requires Immediate Action
Treat an npm audit finding as requiring immediate remediation when all three of the following are true:
- The vulnerable package is in
dependencies(notdevDependencies) - Your code makes calls that reach the vulnerable function (or you cannot confirm it does not)
- A fix is available via
npm audit fixor a minor/patch version bump
In this scenario: create a branch, run npm audit fix, run your full test suite, verify no regressions, and merge to main within 48 hours.
For production-impacting, actively exploited vulnerabilities (those with a CISA KEV entry or a GitHub Advisory severity of Critical with a proof-of-concept exploit), reduce the window to 24 hours.
Common examples requiring immediate action:
serialize-javascriptReDoS in production bundle: attackers can send crafted input through your application to cause CPU exhaustionaxiosSSRF in production API client: attackers can manipulate URLs your backend fetchesexpresspath traversal: attackers can access files outside the intended web root
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
What to Document and Defer
A finding qualifies for documented deferral when any of the following apply:
- Package is in devDependencies and does not run in privileged CI/CD environments
- Package is a deep transitive dependency (A depends on B which depends on C: the vulnerability is in C, and your code calls A through a path that never reaches C's vulnerable function)
- No fix is available (upstream maintainer has not published a patched version)
- The fix requires a major version bump with breaking changes that would require significant application rework
Deferral requires documentation. Create a ticket that records: the CVE ID, why you deferred, the conditions under which deferral is no longer acceptable (e.g., 'if a proof-of-concept exploit is published' or 'if a compatible fix is released'), and the review date. Without this documentation, deferred findings become permanently ignored findings.
For devDependency findings with no fix available, the deferral documentation is enough. For production dependency findings where you cannot fix due to breaking changes, document compensating controls (WAF rules that block the exploit input pattern, input validation that prevents the vulnerable code path from being reached externally).
Why npm audit Does Not Detect Supply Chain Attacks
The Sapphire Sleet npm supply chain attack in 2026 backdoored 144 npm packages including easy-day-js in 88 minutes. Running npm audit on a project using the compromised easy-day-js package would have shown zero findings: because the backdoored version had no CVE. It was a clean package with attacker code inserted into it. No known vulnerability. No advisory. No audit finding.
This is the critical limitation of npm audit: it detects known vulnerabilities in registered packages. It does not detect:
- Malicious packages with no CVE (typosquatting, account takeover, dependency confusion)
- Packages with backdoored versions published before discovery
- Packages with malicious postinstall scripts
- Internal packages with hardcoded credentials or data exfiltration
Defense against supply chain attacks requires different controls than npm audit: lockfile integrity verification (commit package-lock.json and verify its hash in CI), package provenance attestation (enabled in npm via --provenance flag since npm 9.5), restricting --ignore-scripts in production installs, monitoring for unexpected outbound network connections from build processes, and using software composition analysis tools that check package behavior in addition to known CVEs.
For organizations that had Sapphire Sleet exposure, the remediation steps are in the Sapphire Sleet npm Supply Chain Attack post.
The bottom line
npm audit output contains three types of findings: actionable vulnerabilities in production dependencies with reachable call paths and available fixes, findings that require a scheduled upgrade due to major version bumps, and noise from devDependencies and unreachable transitive dependencies. Use the three-question framework to sort each finding. Fix the first category immediately, schedule the second, and document-and-defer the third. Remember that npm audit is blind to supply chain attacks: a zero-CVE package that has been backdoored will always pass audit clean.
Frequently asked questions
Should I fix all npm audit critical vulnerabilities?
No. Most npm audit critical findings are in devDependencies that never ship to production, or in transitive dependencies where your code does not reach the vulnerable function. Run npm audit --json, check whether each affected package is in dependencies or devDependencies, verify reachability, and apply npm audit fix only where all three conditions confirm real risk.
Can npm audit detect supply chain attacks?
No. npm audit detects known CVEs in registered packages. It cannot detect malicious packages that have no CVE: such as typosquatted packages, backdoored package versions published before discovery, or packages with malicious postinstall scripts. Preventing supply chain attacks requires lockfile integrity verification, provenance attestation, and behavior monitoring in build pipelines.
What is the difference between a direct dependency vulnerability and a transitive dependency vulnerability in npm audit?
A direct dependency vulnerability is in a package listed in your package.json dependencies. You control the version directly. A transitive dependency vulnerability is in a package that one of your direct dependencies depends on: you do not control this version directly, and fixing it may require updating the direct dependency first. Most npm audit output is transitive vulnerabilities. The fixAvailable field in npm audit --json tells you whether npm audit fix can resolve it automatically or whether a manual upstream fix is required.
When should I use npm audit --force vs npm audit fix?
npm audit fix applies only safe semver-compatible fixes. npm audit --force applies all fixes including major version bumps that may include breaking changes. Never run npm audit --force in production or on main branch without a full test run. Instead, run npm audit --force in a dedicated branch, run your full test suite, check the changelog of each major version bump for breaking changes, and handle migration work before merging. For most production environments, npm audit fix (without --force) is the correct automated remediation command.
How do I suppress a false positive in npm audit that my team has accepted?
Use npm audit --json to get the vulnerability ID, then add an 'overrides' or 'audit.exemptions' entry in your package.json or a separate audit configuration file. The correct approach depends on your npm version: npm 8+ supports the 'overrides' field for forcing dependency versions. For true audit suppression with a documented justification, use a tool like audit-ci with an allowlist configuration file that records the CVE ID, the justification, and a review date. This creates an auditable record rather than silently suppressing findings.
How do you prevent npm audit vulnerabilities from blocking CI/CD pipelines while still maintaining security oversight?
The naive approach -- running npm audit and failing the build on any finding -- creates developer friction without proportionate security benefit. A better model uses severity thresholds and allowlists. Configure your CI pipeline with audit-ci or npm audit --audit-level=high --json: fail only on high and critical severity findings, allow moderate and low findings to pass with a warning. For each high or critical finding that is not directly exploitable (transitive dependency, no attack vector in your code path), add it to an audit-ci allowlist with a documented justification and an expiry date. The allowlist is committed to the repository and reviewed quarterly. Block builds only on newly introduced high/critical CVEs that are not yet allowlisted -- this creates a review gate for new risk without blocking existing work. Additionally, automate dependency update PRs using Dependabot or Renovate: configure them to auto-merge patch updates and minor updates from trusted packages, leaving only major version bumps for manual review. This keeps the dependency graph current and reduces the surface area of unresolved audit findings over time.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
