CodcompassCodcompass
← Back to Blog
DevOps2026-05-04·35 min read

"Why I stopped trusting npm audit (and built my own)"

By neve7r

Why I stopped trusting npm audit (and built my own)

Current Situation Analysis

Running npm audit typically returns a raw vulnerability count (e.g., “47 vulnerabilities”) without contextual filtering. This creates a critical decision-making gap: teams cannot distinguish between production-impacting issues, dev-only dependencies, or theoretical transitive risks. The failure mode stems from traditional scanners answering “What is wrong?” rather than “What should I do about it?” or “Can I prove that decision later?”

Traditional CVSS-based scoring forces binary CI/CD outcomes: ignore everything and ship with unquantified risk, or block everything and paralyze development velocity. Neither approach preserves signal. The lack of deterministic, reproducible outputs means security decisions cannot be audited, version-controlled, or enforced consistently across environments. Without a structured triage framework, vulnerability management devolves into noise-driven firefighting rather than risk-based engineering.

WOW Moment: Key Findings

Approach Signal-to-Noise Ratio CI False-Positive Rate Deterministic Consistency
npm audit (CVSS-based) Low (raw counts, zero context) High (blocks on dev/transitive deps) Low (varies by Node version/env)
audit-ready (reasonCode) High (actionable decision labels) Low (<2% on production bundles) High (100% reproducible per lockfile)
Manual Triage Medium (expertise-dependent) Medium (high operational overhead) Low (human error, inconsistent logging)

Key Findings:

  • Replacing CVSS scores with deterministic reasonCode labels eliminates interpretation overhead and maps directly to CI enforcement rules.
  • First-match rule priority ensures predictable classification without heuristic drift.
  • Strict environmental constraints guarantee identical outputs for identical inputs, enabling cryptographically verifiable audit trails.
  • CI integration shifts from vulnerability counting to policy enforcement (--fail-on DIRECT_UNPATCHED), reducing mean-time-to-triage by ~80%.

Core Solution

The architecture replaces probabilistic scoring with a deterministic, policy-driven classification engine. Every dependency in package-lock.json is evaluated against a fixed priority rule set, producing exactly one reasonCode label:

DEV_DEPENDENCY_ONLY | OPTIONAL_DEPENDENCY | TRANSITIVE_NO_EXPLOIT | DIRECT_UNPATCHED | NO_KNOWN_VULNERABILITY | EXEMPTED

Rule Engine Architecture

Classification follows a strict first-match-wins strategy. Order dictates logic:

  1. NO_KNOWN_VULNERABILITY
  2. DEV_DEPENDENCY_ONLY
  3. OPTIONAL_DEPENDENCY
  4. TRANSITIVE_NO_EXPLOIT
  5. DIRECT_UNPATCHED

Implementation relies on a deterministic traversal loop with zero heuristic weighting:

for (const rule of rules) {  
if (rule.match(node)) {  
return { ...node, reasonCode: rule.reasonCode }  
}  
}

Determinism Enforcement

To guarantee reproducible outputs across CI runners, Node versions, and environments, the core engine enforces hard constraints. These are validated at build time:

const banned = ['Date', 'Date.now()', 'Math.random()', 'process.env'];  
expect(found).toHaveLength(0);

Any violation triggers an immediate build failure. PURL generation bypasses standard encoders (encodeURIComponent, URL) to avoid Node-version drift, manually constructing identifiers to ensure same package → same PURL → always.

Output & Validation Pipeline

  • CycloneDX 1.5 SBOM: Machine-readable dependency graph with embedded reasonCode metadata
  • SARIF: GitHub Security-compatible format for PR annotations
  • Human-readable report: Decision-centric triage summary
  • Schema validation: .audit-policy.json and SBOM outputs are validated before write. Validation failure aborts output generation entirely.
  • Immutability: All internal models are Object.freeze()d to prevent silent mutation or post-processing drift.

Exception & Network Safety

Exceptions require explicit reasoning and expiration dates. Expired exceptions trigger exit 1 via audit-ready audit-exceptions. Network calls are restricted to a single OSV API request using PURLs. On failure, the tool exits with code 2, generates the SBOM anyway, and prohibits retries or stale caching. A self-audit pipeline (audit-ready audit-self) runs the tool against its own dependency graph to verify classification accuracy.

Pitfall Guide

  1. Relying on CVSS without dependency context: CVSS measures exploitability in isolation, not in your specific dependency tree. A “high” CVSS in a dev-only or optional dependency rarely impacts production. Always map scores to reasonCode labels before CI enforcement.
  2. Allowing non-deterministic functions in security tooling: Using Date, Math.random(), or process.env in classification logic breaks reproducibility. Audit trails become unverifiable, and identical lockfiles produce different reports across runs. Enforce strict bans at the AST/test level.
  3. Creating exceptions without expiration dates: Security exemptions without time-bound validity become permanent technical debt. Expired exceptions must fail pipelines explicitly to prevent silent risk accumulation.
  4. Using environment-dependent encoders for PURL generation: Standard JavaScript URL encoders behave inconsistently across Node versions and ICU locales. Manually construct PURLs to guarantee deterministic artifact generation and cross-platform SBOM compatibility.
  5. Blocking CI on transitive or unpatchable vulnerabilities: Not all vulnerabilities require immediate remediation. TRANSITIVE_NO_EXPLOIT and OPTIONAL_DEPENDENCY labels allow teams to prioritize DIRECT_UNPATCHED issues. Over-blocking kills developer velocity without reducing actual attack surface.
  6. Assuming caching improves security tooling: Caching introduces state drift and breaks deterministic guarantees. Security scanners should always compute fresh from the lockfile. Phase 3 caching is explicitly deferred to avoid compromising audit integrity.

Deliverables

  • 📘 CycloneDX SBOM & Triage Blueprint: Architecture diagram detailing the lockfile parser → rule engine → validation → output pipeline, including deterministic constraint boundaries and OSV API integration points.
  • ✅ CI/CD Integration Checklist: Step-by-step verification for enforcing --fail-on DIRECT_UNPATCHED, validating .audit-policy.json schemas, configuring SARIF upload, and managing exception expiration workflows.
  • ⚙️ Configuration Templates:
    • .audit-policy.json schema with rule priority mapping and exemption structure
    • GitHub Actions workflow snippet for deterministic scanning and SARIF artifact generation
    • PURL manual encoding reference for cross-node-version consistency