lpm audit

Scan installed packages for vulnerabilities, behavioral risks, and (optionally) hardcoded secrets.

lpm audit

Walks every installed package and reports:

Confirmed vulnerabilities — npm packages are cross-referenced against OSV.dev; @lpm.dev/* packages get vulnerability data from the registry's per-version metadata.
Behavioral flags — static analysis surfaces risky behaviors (eval, child_process, network access, filesystem writes, native code, etc.). Registry-provided behavioral metadata for @lpm.dev/* packages is normalized into the same severity ladder, including info-level tags such as WebSockets and URL string literals. See the full tag list under lpm query.
Quality score — for @lpm.dev/* packages. Scores below 40 surface as moderate; below 20 surface as high.
Dependency-confusion warnings — when an installed @lpm.dev/* package's bare name collides with a popular npm package (react, lodash, etc.), the audit warns about the registry-confusion risk.
Optional secret scan — with --secrets, scans the installed source for hardcoded API keys, tokens, and private keys.

Works in any project, not just LPM-published ones. Discovery walks lpm.lock, package-lock.json, pnpm-lock.yaml, yarn.lock, or bun.lock (text form); falls back to walking node_modules/ in degraded mode.

Examples

lpm audit
lpm audit --level high              # only show high-severity findings
lpm audit --secrets                 # also scan for hardcoded credentials
lpm audit --fail-on vuln            # CI: exit non-zero only on confirmed vulns
lpm audit --fail-on behavior        # CI: exit non-zero only on critical behaviors
lpm audit --secrets --fail-on secrets # CI: exit non-zero only on hardcoded secrets
lpm audit --fail-on all             # CI: exit non-zero on either (default)
lpm audit fix                       # bump vulnerable direct deps and reinstall
lpm audit --fix --dry-run           # plan the same fixes without writing files
lpm audit --json                    # structured output for tooling

CI gating

lpm audit exits non-zero when its findings trip the active --fail-on policy. The implicit default is conservative — high-severity behavioral signals like eval don't fail CI unless you ask for them explicitly with --fail-on all.

Policy	Exit code 1 when
(no flag, implicit default)	Vulnerabilities or critical behavioral flags (obfuscation, protestware, high-entropy strings). Excludes `high` behaviors so existing pipelines that tolerate `eval` don't break.
`vuln`	Any confirmed vulnerability — OSV (npm) or registry-side advisory (`@lpm.dev`)
`behavior`	Any critical or high behavioral flag
`secrets`	Any hardcoded-secret finding from `lpm audit --secrets`
`all` (explicit)	Vulnerabilities + critical behaviors + high behaviors + secrets — the strict union

For finer control, use lpm query — its CSS-like selectors target individual flags or combinations.

Fixing vulnerabilities

lpm audit fix
lpm audit --fix
lpm audit fix --dry-run

lpm audit fix is the canonical form; lpm audit --fix is an alias for npm-compatible muscle memory. Both inspect OSV fixed-version data, update vulnerable direct dependencies in dependencies and devDependencies, then run lpm install to refresh lpm.lock and node_modules.

The fix pass currently operates only in LPM-managed projects. It does not rewrite npm / pnpm / yarn / bun lockfiles, and it skips transitive-only vulnerabilities, private/custom-registry packages, or advisories without a usable fixed version. --dry-run reports the plan without mutating package.json, lpm.lock, or node_modules.

Severity levels

lpm audit --level high

Suppresses anything below the threshold. Ladder from most-to-least severe: critical → high → moderate (alias medium) → info (alias low). Default is info (show everything).

Secret scanning

lpm audit --secrets

Scans the installed source tree under node_modules/ for hardcoded API keys, access tokens, private keys, and similar credentials — the same scanner that runs as part of lpm publish. Useful as a final check before shipping a Docker image or deploying.

Requires node_modules/ to exist (errors with a run \lpm install` firsthint otherwise).--secretsstill runs as its own scan mode, but it now participates in--fail-on`:

lpm audit --secrets uses the command's default gate policy (all), so a detected secret exits non-zero.
lpm audit --secrets --fail-on secrets gates on secret findings only.
lpm audit --secrets --fail-on vuln or --fail-on behavior keeps the secret scan informational.
--level is still ignored in secrets mode.

Flags

Flag	Effect
`--level <critical\|high\|moderate\|info>`	Minimum severity to report (default: `info`)
`--fail-on <vuln\|behavior\|secrets\|all>`	CI exit-code policy (`secrets` applies to `--secrets`; `all` includes secret findings too)
`--secrets`	Scan installed source for hardcoded secrets (separate scan mode; consults `--fail-on`, still ignores `--level`)
`--fix`	Alias for `lpm audit fix`
`--dry-run`	With `--fix`, show the fix plan without changing files

Plus the global flags — --json is especially useful for piping into CI gates.