News and Notes from the Makers of Nexus | Sonatype Blog

New in Nexus Repository 3.23: Nexus Intelligence via npm Audit

Written by Brent Kostak | May 13, 2020

We are excited to announce the official release of Nexus Repository 3.23. In this release, we continue the story of our enhanced JavaScript support with the new Nexus Intelligence via npm audit feature** available to both Nexus Repository OSS and Pro users. Over the past couple months, Sonatype product teams have been hard at work delivering a new proprietary JavaScript scanning algorithm, npm automated pull requests for GitHub, and now Nexus Platform support for the npm audit command.

** Note: Nexus Intelligence via npm audit requires an organization to own a license of Nexus Firewall or Nexus Lifecycle

What is the npm audit command?

Back in 2018, npm released a new client command called “npm audit” to run an audit report of npm packages and dependencies. Running the command retrieves security information from npmjs.com and lists all known vulnerable dependencies in your package.json file. This powerful tool ensures the quality and integrity of an npm developer’s code and continues to be a very popular command in the JavaScript community.

Npm also added an “npm audit fix” command that will upgrade a dependency to the latest version without a violation.

Nexus Intelligence via npm audit

So, what is this new feature from Sonatype? How does Nexus Intelligence improve the npm audit command?

Nexus Intelligence via npm audit allows developers to check for policy violations in their Javascript projects, using the npm audit command built into the npm CLI, coupled with the precise data of Nexus Intelligence. Audit reports show vulnerable components and information, including the: security level, affected package(s), path(s), and dependencies of the component. All of this serves developers the in-depth and high quality data of Nexus Intelligence.

The following are key benefits of using this new feature for Nexus Repository OSS and Pro developers:

  • Developer Workflow - Nexus Repository developers can now use the default npm audit command. If an organization has Nexus Repository and Nexus IQ already configured, the npm audit command will start working for them without any changes to each developer's machine. This makes the roll out very easy for admins and teams. 

  • Nexus Intelligence - Running the npm audit command lists all known vulnerable dependencies from your package.json file while gaining the benefits of the most precise intelligence regarding security vulnerabilities, license risk, and architectural quality of open source components. JavaScript developers gain the benefit of more accurate component information from Nexus Intelligence data versus npmjs.com.

  • Automated Remediation - If policy violations are found and updates are available, developers can run the “npm audit fix” subcommand to automatically update vulnerable dependencies to fix policy violations.

  • Predictive Build Insights - Nexus Firewall blocks bad components from being downloaded into your developer pipelines. When this occurs, it can be challenging for developers to understand why exactly their build failed. Developers using the npm audit command will be able to receive that information and know ahead of time why Nexus Firewall would interact with their build.

Additional Resources

For further Nexus release details and any questions you may have, please refer to the links below: