README

This package adds a Laravel Health check for npm security advisories. It runs npm audit --json, stores the parsed audit output as check meta, and reports warnings or failures based on configurable severity thresholds.

Installation

You can install the package via composer:

composer require sector27-gmbh/laravel-npm-health-checks

You can publish the config file with:

php artisan vendor:publish --tag="laravel-npm-health-checks-config"

This is the contents of the published config file:

return [
    'paths' => [
        base_path(),
    ],

    'include_dev_dependencies' => false,

    'warning_threshold' => 'moderate',

    'failure_threshold' => 'high',

    'npm_binary' => 'npm',

    'timeout' => 60,
];

Usage

Register the check with Laravel Health:

use Sector27\LaravelNpmHealthChecks\NpmAuditCheck;
use Spatie\Health\Facades\Health;

Health::checks([
    NpmAuditCheck::new(),
]);

By default, the check audits production dependencies in your application root. It returns ok without a notification message when no vulnerabilities meet the warning threshold.

You may configure the check fluently:

Health::checks([
    NpmAuditCheck::new()
        ->atPaths([
            base_path(),
            base_path('resources/frontend'),
        ])
        ->includeDevDependencies()
        ->warnWhenSeverityIsAtLeast('moderate')
        ->failWhenSeverityIsAtLeast('high')
        ->timeout(120),
]);

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

• sector27 GmbH
• All Contributors

License

The MIT License (MIT). Please see License File for more information.