The npm install command fails when security vulnerabilities are detected in dependencies and the audit-level threshold is breached. npm audit automatically scans packages during installation and can block the process if high-severity issues are found.
npm audit runs automatically during package installation and submits your dependency tree to the npm registry for vulnerability scanning. When vulnerabilities meeting or exceeding the configured audit-level threshold are found, npm exits with a non-zero code, blocking installation. EAUDITINSTALL specifically indicates that audit vulnerabilities were detected and the installation cannot proceed without addressing them or changing audit settings. This is a security gate designed to prevent vulnerable code from entering your project. Unlike older npm versions that only warned about vulnerabilities, npm 7+ enforces audit-level by default during installation.
Run npm audit without installing to see the full vulnerability report:
npm auditThis shows:
- Package names and affected versions
- Vulnerability severity (critical, high, moderate, low)
- CVE IDs and detailed advisory links
- Which of your packages depend on the vulnerable code
The safest first step is to let npm automatically remediate vulnerabilities:
npm audit fixThis command:
- Identifies which package versions contain fixes
- Updates your package.json and package-lock.json if updates are compatible
- Respects semantic versioning by default (won't bump major versions)
If this succeeds, run npm audit again to confirm zero vulnerabilities.
If npm audit fix leaves vulnerabilities because semantic versioning blocks updates:
npm audit fix --forceWarning: --force can upgrade major versions and introduce breaking changes. Use only if:
- You've reviewed the breaking changes
- You have tests to catch incompatibilities
- You're willing to debug dependency issues
If vulnerabilities cannot be fixed without breaking your app, you can lower the audit threshold:
npm install --audit-level=moderateAudit levels (most to least strict):
- critical - fails on critical only
- high - fails on high or critical
- moderate - fails on moderate, high, or critical
- low - fails on low and above (most permissive)
To make this permanent, set it in your .npmrc:
audit-level=moderateNote: This allows installation but doesn't remove the security risk.
If all vulnerabilities are in devDependencies, install production dependencies only:
npm install --omit=devThis:
- Skips devDependencies entirely
- Avoids dev-only vulnerabilities
- Is safe for production deployments
- Cannot be used during local development if devDependencies are needed
Check whether the vulnerable package is actually used:
npm uninstall package-nameUse npm ls package-name to trace which dependency brought it in:
npm ls vulnerable-packageRemoving the package entirely eliminates the vulnerability.
npm audit limitations: Not all reported vulnerabilities are equally dangerous—many relate to build tools or development-only packages that don't affect production. False positives occur frequently, especially with transitive vulnerabilities.
audit-ci for CI/CD: For more sophisticated audit policies in CI/CD, use the audit-ci package:
npm install --save-dev audit-ci
audit-ci --moderate --productionThis allows ignoring specific CVEs by advisory ID, applying different rules for production vs. dev dependencies, and custom exit codes.
Production vs Development: The key distinction is between vulnerabilities in code that runs in production vs. development-only tools. For critical production software, always fix critical and high vulnerabilities.
npm ERR! code E401 npm ERR! 401 Unauthorized - Token has expired
Token has expired - npm authentication failure
npm ERR! code EAI_NODATA npm ERR! errno EAI_NODATA npm ERR! getaddrinfo EAI_NODATA registry.npmjs.org
How to fix "npm ERR! code EAI_NODATA - getaddrinfo EAI_NODATA"
npm ERR! code EMPTYPACKAGE npm ERR! Package contains no files
How to fix 'npm ERR! code EMPTYPACKAGE' - Package contains no files
npm ERR! code EWORKSPACEMISSING npm ERR! Workspace does not exist: packages/missing
How to fix "npm ERR! code EWORKSPACEMISSING - Workspace does not exist" error
npm ERR! code EADDRNOTAVAIL npm ERR! errno EADDRNOTAVAIL npm ERR! Address not available
How to fix "npm ERR! code EADDRNOTAVAIL - Address not available" error