In npm 6.6, a feature was added to provide security audit information for the packages that are used in your application.
This is run with:
This exits with a non-zero exit code if any ‘low’, ‘medium’, ‘high’, or ‘critical’ errors were detected.
You can use that non-zero return code in your CI to fail a check, which should notify you of the security vulnerability which you can then resolve.
If you care about ‘high’ or ‘critical’ errors but don’t care about ‘low’ or ‘medium’ you can set the
audit-level npm config value to ‘high’ in you npm configuration for your CI server.