The EAUDITLEVELFAIL error occurs when npm audit finds security vulnerabilities at or above your specified --audit-level threshold. This is intentional behavior to prevent vulnerable dependencies in CI/CD pipelines.
This error is a security feature, not a bug. When you run npm audit or npm install with an --audit-level flag, npm checks all dependencies for known security vulnerabilities. If any vulnerability is found at or above your threshold (low, moderate, high, or critical), npm exits with a non-zero code to fail your build. The error is commonly encountered in CI/CD pipelines where you've set strict security requirements. For example, if you set --audit-level=moderate, npm will fail if it finds any moderate, high, or critical vulnerabilities. Starting with npm v7, both npm install and npm audit respect the --audit-level setting. In npm v6, only npm audit used this flag while npm install ignored it.
First, understand what vulnerabilities exist:
# See detailed vulnerability report
npm audit
# Get JSON output for parsing
npm audit --jsonLook for the severity levels and affected packages. Note which packages are direct dependencies vs. transitive.
Let npm attempt to update packages to patched versions:
# Preview what would be fixed
npm audit fix --dry-run
# Apply compatible fixes (patch/minor versions)
npm audit fix
# Force major version updates (may break code)
npm audit fix --forceAfter fixing, run npm audit again to verify.
Development-only vulnerabilities are often lower risk. Audit only production dependencies:
# Audit production dependencies only
npm audit --production
# In CI/CD
npm audit --production --audit-level=highAdd to package.json scripts:
{
"scripts": {
"security:prod": "npm audit --production --audit-level=moderate"
}
}If you need to proceed with known moderate vulnerabilities, raise the threshold:
# Only fail on high or critical
npm audit --audit-level=high
# Only fail on critical
npm audit --audit-level=criticalSet permanently in .npmrc:
audit-level=highWarning: This trades security for convenience. Only use for development or non-critical projects.
For npm 8.3+, force safe versions of vulnerable transitive dependencies:
{
"overrides": {
"vulnerable-package": ">=2.0.5",
"postcss": ">=8.4.31",
"nth-check": ">=2.0.1"
}
}Then reinstall:
npm install
npm auditFor complex scenarios, use IBM's audit-ci tool to allowlist specific advisories:
npm install --save-dev audit-ciCreate audit-ci.jsonc:
{
"moderate": true,
"allowlist": [
1234567
]
}Run in CI:
npx audit-ci --config ./audit-ci.jsoncThe --audit-level flag doesn't filter output—it only changes the exit code threshold. Vulnerabilities are still reported; you just control when the build fails.
In npm v6, npm install didn't respect --audit-level, but npm v7+ changed this behavior. If upgrading npm versions, expect builds that previously passed to start failing if vulnerabilities exist.
Never disable audit entirely in production builds. If you must bypass temporarily, document the reason and set a deadline to address the vulnerabilities.
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error