{"id":13237,"library":"gitlab-npm-audit-parser","title":"GitLab NPM Audit Parser","description":"This package is a command-line interface (CLI) tool designed to integrate Node.js project security audits into GitLab's dependency scanning feature. It parses the JSON output from `npm audit --json` and transforms it into GitLab's standardized `gl-dependency-scanning-report.json` format, which is then consumable by GitLab CI/CD pipelines for displaying security vulnerabilities in the UI. Currently at version 1.0.4, its release cadence is typically driven by changes in `npm audit` output formats or updates to GitLab's security report schemas. The primary differentiator is its specialized function for GitLab CI, addressing the gap where raw `npm audit` output is not directly compatible with GitLab's security dashboards. It acts as middleware, ensuring that npm audit findings can be properly ingested and displayed within GitLab's security features.","status":"active","version":"1.0.4","language":"javascript","source_language":"en","source_url":"ssh://git@github.com/mgibeau/gitlab-npm-audit-parser","tags":["javascript","gitlab"],"install":[{"cmd":"npm install gitlab-npm-audit-parser","lang":"bash","label":"npm"},{"cmd":"yarn add gitlab-npm-audit-parser","lang":"bash","label":"yarn"},{"cmd":"pnpm add gitlab-npm-audit-parser","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is primarily a CLI tool executed via `npx` or a globally installed binary, not a library intended for direct programmatic `import` statements. The 'symbol' here represents its command-line invocation.","symbol":"gitlab-npm-audit-parser","correct":"npx gitlab-npm-audit-parser [options]"},{"note":"While `-o` is a valid shorthand, using `--out` with the full filename `gl-dependency-scanning.json` (as per GitLab's expected artifact name) is clearer and consistent with CI/CD best practices. The default output filename is `gl-dependency-scanning-report.json`, but GitLab often expects `gl-dependency-scanning.json` for artifact reports.","wrong":"npx gitlab-npm-audit-parser -o gl-dependency-scanning-report.json","symbol":"--out","correct":"npx gitlab-npm-audit-parser --out gl-dependency-scanning.json"},{"note":"The tool expects the `npm audit --json` output to be piped directly into its standard input. While redirecting from a file (`<`) might technically work, the recommended and most common usage in CI pipelines is direct piping.","wrong":"npx gitlab-npm-audit-parser < npm-audit-report.json","symbol":"stdin pipe","correct":"npm audit --json | npx gitlab-npm-audit-parser"}],"quickstart":{"code":"image: node:16-alpine # Or a more recent Node.js version\n  script:\n    - npm ci\n    - npm audit --json | npx gitlab-npm-audit-parser -o gl-dependency-scanning.json\n  artifacts:\n    reports:\n      dependency_scanning: gl-dependency-scanning.json","lang":"yaml","description":"This GitLab CI/CD job snippet demonstrates how to run an `npm audit` and process its JSON output into a GitLab-compatible dependency scanning report using `gitlab-npm-audit-parser`."},"warnings":[{"fix":"Update your `.gitlab-ci.yml` to use a current Node.js LTS image, e.g., `node:16-alpine` or `node:lts-alpine`.","message":"The `node:10-alpine` image used in the README example is outdated and may contain security vulnerabilities or compatibility issues with newer npm/Node.js versions. Always use a recent, actively maintained Node.js LTS version for security and stability.","severity":"gotcha","affected_versions":"<=1.0.4"},{"fix":"Ensure `npm audit --json` runs successfully and its output is the sole content piped to `gitlab-npm-audit-parser`. If using `npm run-script`, add `--silent` to prevent extra output: `npm run audit -- --json --silent`.","message":"The parser expects valid JSON input from `npm audit --json`. Any non-JSON output, or errors in piping the output, will cause the parser to fail. This can occur if `npm audit` itself encounters an error or if additional stdout is present.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always explicitly specify the output filename using the `-o` or `--out` option to match the `artifacts:reports:dependency_scanning` path in your `.gitlab-ci.yml` (e.g., `-o gl-dependency-scanning.json`).","message":"The output filename for GitLab's dependency scanning artifacts is crucial. While the tool defaults to `gl-dependency-scanning-report.json`, GitLab's standard CI templates often expect `gl-dependency-scanning.json` or other specific names.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Verify that `npm audit --json` produces valid JSON. If running `npm audit` via a script, ensure `--silent` is used to prevent additional logging from interfering with the JSON output: `npm audit --json --silent | npx gitlab-npm-audit-parser`.","cause":"The input provided to `gitlab-npm-audit-parser` was not a valid JSON string, or it contained extraneous characters before the JSON object started.","error":"Error: Invalid JSON input"},{"fix":"Ensure your Node.js Docker image includes `npm` (and thus `npx`). If using a very slim image, you might need to explicitly install `npm` or use a slightly larger Node.js base image. Alternatively, if globally installed, ensure the global `node_modules/.bin` is in PATH.","cause":"The `npx` command, which is typically bundled with `npm`, was not found in the CI environment's PATH. This can happen in minimal Docker images.","error":"sh: npx: command not found"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null,"pypi_latest":null,"cli_name":"gitlab-npm-audit-parser"}