npm audit command to support explicitly specifying npm-audit.json file

[avula-sudheer]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

npm audit doesn't process the ignore list specified in .npm-audit.json

From my research it appears that the npm audit signatures command is unable to complete due to missing registry signature for internal node modules.

This blocks from including npm audit as an automated pipeline task.

Expected Behavior

Provide a CLI switch to npm audit specify the audit file to be read for an exclusions (ignoring the signatures for internal modules).

Steps To Reproduce

1. In this environment...
2. use a older version of a dependency module that has vulnerability (eg: bootstrap 3.3.X)
3. Run 'npm audit report --json'
4. create a .npm-audit.json with the below format
   `Example

{
  "ignore": [
    {
      "id": 1102099,
      "reason": "CWE-79 - Reviewed and accepted risk for this advisory.",
      "expires": "2025-12-31T23:59:59.999Z"
    }
  ]
}

5. Run 'npm audit report --json' to process the .npm-audit.json file to ignore this vulnerability from being reported

Environment

• npm:
• Node.js:
• OS Name:
• System Model Name:
• npm config:

; copy and paste output from `npm config ls` here