npm Audit Summary Analyzer

Project label:

Name the package, workspace, CI job, or app represented by the audit output.

High+ fail threshold:

Set the first high-or-critical count that should fail this audit gate.

high+

Parser preference:

Leave on Auto for normal CI artifacts and copied terminal output.

Audit output:

Use `npm audit --json` for package paths, fix availability, and dependency metadata.

Review audit input

{{ error }}

Remediation rows:

Show the highest-pressure package rows first.

rows

{{ header }}	Copy
{{ cell }}
{{ emptyTableTitle(tab.key) }} {{ emptyTableNote(tab.key) }}

No severity counts are available for the current audit output.

No package-level fix pressure rows are available for the current audit output.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

An npm audit report is a snapshot of known dependency risk in one package tree. It compares the dependencies described by a project and its lockfile against vulnerability advisories known to the configured registry. That makes it useful for release checks and maintenance planning, but it is still evidence to review rather than a final statement that an application is safe or unsafe.

Large JavaScript projects can carry many indirect packages, so the count alone rarely tells the whole story. The same report may include one direct production package, several transitive development packages, and a suggested fix that either stays inside the current version range or crosses into a breaking upgrade. Security owners usually need severity, package path, affected range, and fix pressure before deciding whether to block a release, open a patch branch, or record a time-boxed exception.

Severity is a starting signal about impact and likelihood, not the release decision by itself. A single critical finding on a reachable production dependency can justify stopping a deployment. A high finding in a development-only transitive path may need a different response. The dependency path, package role, runtime exposure, and whether the fix is compatible all change the practical decision.

Severity: The advisory label, usually critical, high, moderate, low, or informational.
Dependency path: The route through the installed package tree that brings the vulnerable package into the project.
Patched range: The version range where the advisory says the vulnerability has been fixed.
Release gate: A policy threshold that decides whether a build can proceed with unresolved findings.

One common mistake is treating the total vulnerability count as the release decision. Ten low findings can be less urgent than one critical package on a production path. Another mistake is running npm audit fix --force as if every suggested fix were harmless. A forced or semver-major change can update top-level dependencies outside their current accepted ranges, so it belongs in a tested branch rather than an automatic release patch.

The report boundary matters. An audit can miss unknown vulnerabilities, malicious behavior that has not been published as an advisory, mistakes in private code, and risks hidden by omit/include settings. It should be read alongside reachability, ownership, test coverage, and the side effects of any proposed package update.

How to Use This Tool:

Use the analyzer when you have an npm audit JSON report, a copied terminal report, or a CI log excerpt and need a compact release or remediation summary.

Enter a Project label that will still make sense in an exported ticket, such as a package name, workspace, branch, or CI job.
Set High+ fail threshold. Use 1 when any critical or high vulnerability should fail the gate.
Paste npm audit --json when possible, browse to a saved JSON, TXT, or LOG report, or drop the file onto the audit textarea.
Leave Parser preference on Auto-detect for ordinary use. Choose JSON first when malformed JSON should stop the run instead of being treated as text.
Open Advanced only when you need to change the visible Remediation rows limit. The limit trims the visible queue, not the severity totals.
Read npm Gate Snapshot first, then use Severity Ledger, Fix Pressure Matrix, and Package Remediation Queue to decide who needs to patch, review, or investigate.
Use the chart tabs and exports after the tables match the report you meant to summarize.

If the page reports that the audit input needs review, fix the source before exporting. Text logs can be enough for a gate and severity ledger, but JSON usually gives better package names, dependency paths, affected ranges, dependency totals, and fix signals.

Interpreting Results:

Start with the high-plus count, which is the critical count plus the high count. The selected threshold turns that count into a pass or fail result for the gate. The gate is intentionally narrower than the full vulnerability total because critical and high findings often carry release-blocking weight even when lower severities are present.

npm audit result cues and how to read them
Result Cue	Best First Reading	What To Check Next
Gate failing	Critical plus high vulnerabilities met or exceeded the selected threshold.	Inspect the highest-severity queue rows and decide whether the release stops, receives an exception, or moves to a fix branch.
Gate passing	Critical plus high vulnerabilities are below the selected threshold.	Review moderate and low findings for maintenance planning; a passing gate is not proof that the dependency tree is clear of risk.
Compatible fix	The parsed audit data suggests a fix path that is not marked as major or force-only.	Apply the update, rerun npm audit, and run the relevant tests before closing the finding.
Force/major review	The suggested fix may require a semver-major upgrade or force mode.	Use a branch, review breaking changes, and test behavior before treating the fix as safe.
Manual remediation	No direct automatic fix was available in the parsed audit evidence.	Inspect dependency paths, upstream status, replacement packages, overrides, or whether the vulnerable code is reachable.
Aggregate only	The source exposed severity counts but not package-level rows.	Rerun `npm audit --json` if package ownership, paths, or exact fix work matter.

The pressure score is a triage index, not a standard risk score. It makes repeated runs of the same project easier to compare by weighting critical findings more heavily than high, moderate, low, or informational findings. Use it to explain relative cleanup pressure, not to compare unrelated applications without context.

The JSON tab contains the normalized summary built by the page. Keep the original npm audit report when you need full advisory text, exact registry output, or evidence for an audit trail.

Technical Details:

npm audit builds a report from dependency metadata, known advisories, and remediation logic. Modern npm output may include aggregate vulnerability counts, dependency totals, affected packages, dependency paths, advisory references, vulnerable ranges, and fix guidance. A command-line text report often preserves the release signal, while JSON output is better for package ownership and remediation planning.

The analyzer uses the high-plus count as a local gate because critical and high findings often drive release policy. It also creates pressure points so a run with one critical advisory does not look equivalent to a run with one low advisory. These are triage measures for comparing audit runs and explaining cleanup pressure; they are not npm standard risk scores.

Formula Core:

\begin{array}{lcl} high-plus count & = & critical count + high count \\ gate fails & = & high-plus count \geq selected threshold \\ pressure points & = & 10 \times critical + 6 \times high + 3 \times moderate + 1 \times low \end{array}

Input forms and retained audit detail
Input Form	Detail Usually Available	Summary Impact
Modern audit JSON	Severity totals, package records, dependency type, paths, ranges, advisory links, dependency totals, and fix guidance.	Supports the gate snapshot, severity ledger, fix matrix, package queue, charts, and normalized JSON summary.
Older audit JSON	Advisory records, module names, severity, findings, vulnerable ranges, patched ranges, paths, and links.	Can still produce package rows when enough advisory and path information is present.
Terminal audit text	Severity counts, package headings, severity labels, node paths, advisory links, and fix wording when the log includes them.	Works for count-based summaries and best-effort rows, but may become aggregate-only when package detail is missing.

Severity weighting and default posture
Severity	Pressure Weight	Default Posture
Critical	10	Address immediately; require owner sign-off before release.
High	6	Prioritize in the next security patch branch.
Moderate	3	Schedule when the package path is reachable or production-facing.
Low	1	Bundle with routine dependency maintenance.
Info	0	Verify relevance; do not block release on this signal alone.

Fix pressure classification rules
Fix Pressure	Audit Signal	Typical Owner Action
Compatible fix	The audit report indicates a fix that is not marked as force-only or semver-major.	Apply the compatible update, then rerun audit and tests.
Force/major review	The fix may require force mode, a semver-major change, or another breaking-change review.	Plan a branch, review release notes, and test before accepting the update.
Manual remediation	No direct automatic fix is available in the audit report.	Inspect reachability, overrides, replacements, or upstream maintainer status.
Advisory review	A vulnerability is named, but the source does not expose a clear fix path.	Open the advisory and decide whether the affected path matters for this project.
Aggregate only	Counts exist, but package-level rows do not.	Use JSON output for package-level remediation planning.

npm Gate Snapshot records the project label, detected source type, gate result, high-plus count, total vulnerabilities, pressure score, dependency total when present, and queue size. Severity Ledger groups count, share, points, and recommended posture by severity. Fix Pressure Matrix groups package rows by remediation type. Package Remediation Queue keeps the sorted package details for handoff.

The tool's gate is separate from the npm CLI --audit-level option. The CLI option changes the command exit threshold; it does not remove lower-severity findings from the report. This page keeps the parsed counts visible and lets you choose a high-plus release threshold for the summary.

Privacy and Accuracy Notes:

The page analyzes pasted text and selected report files in the browser. It does not need to send the audit report away to build the tables, charts, CSV files, DOCX files, or JSON summary.

The npm command that produced the report is separate from this page. When you run npm audit in your terminal or CI job, npm may contact the configured registry and use the dependency tree described by your package lock. Private package names, internal project labels, and advisory paths can appear in reports and exports, so treat them as security artifacts.

Audit results can change when the lockfile, registry, npm version, advisory data, or omit/include settings change. A clean run means no known matching vulnerabilities were reported for that run; it does not rule out unknown vulnerabilities, malicious packages that have not been flagged, or risks in application code.

Worked Examples:

One critical finding fails a strict gate

A CI job for admin-ui main reports 1 critical, 0 high, 3 moderate, and 1 low vulnerability. With High+ fail threshold set to 1, the high-plus count is 1, so the gate fails. The owner should inspect the top queue row before deciding whether to patch immediately or record a release exception.

A major fix needs a review branch

A package row says a fix exists, but the fix requires a semver-major change. The row belongs under Force/major review, even when the severity is critical. The useful action is a tested upgrade branch, not a rushed force update that breaks the application.

A copied CI log gives only counts

A terminal excerpt says found 7 vulnerabilities with a severity breakdown but no package rows. The gate and severity ledger can still work, while the package queue may be empty or aggregate-only. Rerun npm audit --json when package ownership or dependency paths matter.

Invalid JSON stops a JSON-first run

A saved report is missing a closing brace and Parser preference is set to JSON first. The page reports invalid JSON instead of silently treating the source as text. Fix the JSON, or switch to text parsing only when the source is a terminal report.

FAQ:

Should I paste JSON or terminal text?

Use npm audit --json when you can. JSON usually exposes package names, dependency paths, fix guidance, and dependency totals. Terminal text is useful when you only have a CI log, but it may not support a full remediation queue.

Why does one issue fail the gate?

The gate compares critical plus high vulnerabilities against High+ fail threshold. With a threshold of 1, any critical or high vulnerability fails the gate.

Does a compatible fix mean no testing is needed?

No. A compatible fix means the parsed audit data did not mark the update as a major or force-only change. Dependency updates can still change behavior, so rerun npm audit and the relevant tests.

Why is the queue empty when vulnerabilities were counted?

The source may contain aggregate severity counts without package-level rows. Paste JSON when you need package names, affected ranges, dependency paths, and fix signals.

Can this replace a dependency security review?

No. It summarizes npm audit evidence. A reviewer still needs to consider reachability, production exposure, compensating controls, package ownership, and whether the proposed fix is safe.

Glossary:

High-plus: Critical vulnerabilities plus high vulnerabilities, used by this page as the release-gate count.
Pressure points: A weighted severity index used for triage, with critical findings contributing more than high, moderate, low, or informational findings.
Compatible fix: A remediation signal that is not marked as semver-major or force-only in the parsed audit data.
Manual remediation: A finding where the audit source does not expose a direct automatic fix path.
Aggregate-only result: A summary built from severity counts without package-level remediation rows.

References:

About audit reports, npm Docs.
npm-audit command documentation, npm CLI documentation.
About semantic versioning, npm Docs.