This error occurs when npm audit finds critical security vulnerabilities in your dependencies. Critical vulnerabilities pose serious security risks and typically block CI/CD pipelines.
The EAUDIT error with "Critical vulnerabilities found" means npm detected serious security issues in your project's dependencies. npm audit scans your dependency tree against a database of known vulnerabilities and reports findings by severity: critical, high, moderate, and low. Critical vulnerabilities are the most severe—they typically involve: - Remote code execution - SQL injection - Authentication bypass - Sensitive data exposure This error commonly appears in CI/CD pipelines configured to fail when vulnerabilities exceed a certain severity threshold. Many organizations enforce zero-tolerance policies for critical vulnerabilities in production deployments.
First, understand what vulnerabilities exist:
npm auditThis shows each vulnerability with:
- Severity level
- Vulnerable package and version
- Path showing how it's included
- Advisory URL with details
Let npm attempt to fix vulnerabilities automatically:
npm audit fixThis updates packages to patched versions while respecting semver constraints. It's safe and won't introduce breaking changes.
If some vulnerabilities remain, check why:
npm audit fix --dry-runCommon reasons for unfixable vulnerabilities:
- Fix requires major version update (breaking changes)
- No patched version exists yet
- Parent package hasn't updated its dependency
For vulnerabilities that npm audit fix can't resolve:
# Update specific package to latest
npm install package-name@latest
# Update to specific patched version
npm install [email protected]
# Update all packages (be careful, test thoroughly)
npm updateIf the vulnerability is in a nested dependency (npm 8.3+):
{
"overrides": {
"vulnerable-package": "^2.0.0"
}
}Then reinstall:
rm -rf node_modules package-lock.json
npm installAs a last resort, force major version updates:
npm audit fix --forceWarning: This can introduce breaking changes. Always:
- Run your test suite afterward
- Review the changelog of updated packages
- Test thoroughly before deploying
CI/CD configuration: Set appropriate audit levels:
# Fail only on critical
npm audit --audit-level=critical
# Fail on high and above
npm audit --audit-level=highNot all vulnerabilities are exploitable: Review each advisory carefully. A "critical" vulnerability in a dev dependency might not affect your production application. Consider:
- Is the vulnerable code path actually used?
- Is the package only used during development?
- Does the vulnerability require specific conditions to exploit?
When no fix exists: If the package maintainer hasn't released a patch:
1. Check if a fork with the fix exists
2. Consider alternative packages
3. Implement mitigations at the application level
4. Open an issue with the package maintainer
Production-only audit:
npm audit --omit=devThis only checks production dependencies, ignoring devDependencies.
npm ERR! code E401 npm ERR! 401 Unauthorized - Token has expired
Token has expired - npm authentication failure
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code EAI_NODATA npm ERR! errno EAI_NODATA npm ERR! getaddrinfo EAI_NODATA registry.npmjs.org
How to fix "npm ERR! code EAI_NODATA - getaddrinfo EAI_NODATA"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"