[BUG] npm audit does not exit with exit code 1 if a vulnerability is found

[jansepke]

Current Behavior:

Running npm audit in a reposity with a vulnerable package will give the correct report output, but will not exit with status code 1.

Expected Behavior:

Same as in NPM V6 and as stated in the V7 Docs: "By default, the audit command will exit with a non-zero code if any vulnerability is found."

Steps To Reproduce:

1. npm install xmldom@0.4.0
2. npm audit
3. echo $?

I don't know if this problem applies only to lo severity findings. Our workaround currently is to use npm audit --audit-level=low which will exit correctly with 1.

Environment:

• OS: Ubuntu 20.04
• Node: v14.16.0
• npm: 7.6.3

[josalmi]

I can confirm this issue is also happening on npm 7.6.0 and doesn't seem to be related to severity since high level vulnerability also exits with 0 status code. The mentioned workaround works.

[mikejamesthompson]

We also experienced this issue. We were using npm audit in CI to check for vulnerabilities in packages and using the non-zero return code to cause the build to fail if any were found.

Obviously we are now using npm audit --audit-level=low, but this should be fixed so that the behaviour matches the documentation.

[darcyclarke]

Can confirm, this is a problem. Prioritizing accordingly