How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

npm audit fix: A Guide to Safe & Effective Use (2026)

You’ve probably just run npm install, watched the terminal settle, and then seen npm audit light up your screen with warnings. The first reaction is usually the same. Find the quickest command that makes the red text disappear.

That instinct is understandable, and it’s exactly how teams create avoidable breakage.

npm audit fix is useful. It can save time, clean up obvious issues, and handle safe updates faster than a person should do by hand. But it’s not a magic repair button. Sometimes it fixes a lot. Sometimes it fixes almost nothing. Sometimes the “fix” that clears the report is the same change that breaks your build, your tests, or your production app.

The practical skill isn’t memorising the command. It’s knowing when to trust automation, when to escalate, and when to stop and fix things manually.

Your First Step Before the Fix Is Understanding the Audit Report

The audit report is noise only if you read it like noise. Once you know what each line means, it becomes a triage tool.

A concerned programmer stares at a computer monitor displaying critical security vulnerabilities and a suggested fix command.

Start with the command that gives you something you can inspect properly:

npm audit --json > audit-report.json

That matters because JSON is easier to diff, easier to review in a pull request, and easier to compare before and after a fix. It also forces you to slow down and look at what’s vulnerable instead of reacting to the total count.

Read the report in this order

When you open an audit result, check these fields first:

Severity Low, moderate, high, and critical tell you urgency, not context. A critical issue in a package that runs in production deserves immediate attention. A low-severity issue in a development-only tool often doesn’t deserve the same response.
Dependency path This tells you how the vulnerable package reached your app. If the path starts with something in your own dependencies, you usually have more control. If it’s buried several levels deep, you’re dealing with a transitive dependency.
Fix availability Look for wording that tells you whether npm can apply a compatible fix or whether the remedy requires a semver-major change. That difference decides whether standard automation is sensible.
Affected package usage Ask one plain question. Does this package run in production, or does it only support builds, tests, or local development?

If you need a quick refresher on why deep package chains get messy, MakeAutomation's guide on dependencies gives a clean explanation of transitive dependencies and why they complicate remediation.

What the report is really telling you

Here’s the practical distinction many juniors miss. An audit report doesn’t just list “bad packages”. It describes risk plus upgrade constraints.

A direct dependency with a patch available is the easiest case. A nested dependency with “no fix available” is a very different job. So is a package that can only be remediated by jumping to a new major version.

Practical rule: Never decide from the vulnerability count alone. Decide from severity, runtime exposure, dependency depth, and fix path.

A short mental model helps:

| Report signal | What it usually means | Sensible next move | |---|---|---| | Fix available, no major bump | Safe candidate for automation | Try npm audit fix | | Semver-major required | Compatibility risk | Review changelog and test plan first | | No fix available | Automation won’t solve it | Manual remediation | | Deep transitive path | You may not control the version directly | Trace with npm ls and investigate parent packages |

There’s another reason to start here. Tools that scan the wider dependency picture often surface patterns that a terminal-only workflow hides. If you want broader context on how these findings fit into package risk analysis, software composition analysis is worth understanding.

The first judgement call

Don’t treat every high or critical item as identical work. A vulnerable parser in your production API deserves a different response from a low-level build helper that never ships to users.

That’s why the best habit isn’t “always run the fix command first”. It’s always understand the report first.

Using 'npm audit fix' for Safe, Automated Updates

The standard command is still the right first move in many projects:

npm audit fix

It exists for a narrow, useful purpose. npm audit fix automatically applies compatible updates to vulnerable dependencies without breaking semver ranges, and in one 2018 example it resolved all 3 out of 3 vulnerabilities through that approach, as shown in this walkthrough of npm audit.

That’s the promise of the command. Safe automation first.

What npm changes and what it leaves alone

In normal use, npm audit fix tries to move your dependency tree to patched versions that still fit the version constraints you already declared. In practice, that often means:

package-lock.json changes first because npm can point the lockfile at safer compatible versions.
package.json often stays untouched if your current semver range already allows the patched release.
Direct and transitive dependencies may both shift if npm can resolve them safely inside the allowed ranges.

That’s why this command is low drama compared with --force. It prioritises compatibility.

A safe workflow that holds up in real projects

Use it in a feature branch and keep the process boring:

Run the audit first so you know what you’re trying to fix.
Commit or stash current work before changing the lockfile.
Run npm audit fix once instead of repeating it blindly.
Inspect the diff in package-lock.json so you know which packages moved.
Run tests and start the app because “semver-compatible” doesn’t always mean “behaviourally identical”.

If the command fixed some issues and left others behind, that doesn’t mean it failed. It means npm chose stability over aggressive change.

That’s exactly what you want for a first pass.

What it does not solve

npm audit fix won’t rescue you from every advisory. It commonly leaves behind issues when the patch needs a major version upgrade, when the vulnerable package sits too deep in a dependency chain, or when maintainers haven’t released a compatible fix.

That’s normal. The command is conservative by design.

If the remaining findings still matter after your triage, you move into a harder decision. Accept the unresolved items for now, patch them manually, or consider the high-risk path.

The 'npm audit fix --force' Gamble What It Does and When to Risk It

The moment npm audit fix leaves critical issues behind, --force starts to look attractive. That’s when discipline matters.

npm audit fix --force tells npm to override semver safety rails and install updates outside your declared version range. In plain terms, it may pull in major versions and rebuild parts of the dependency tree around them.

An infographic titled The npm audit fix --force Gamble explaining the pros and cons of using the command.

That can be justified. It can also be reckless.

A 2025 British Computer Society survey of 1,200 Node.js projects found that npm audit fix --force succeeded for 65% of critical vulnerabilities, while 28% of projects hit breaking changes and 18% of UK SaaS firms reported production outages linked to its use according to this summary of force-based remediation outcomes.

Treat force as a last resort

The mistake isn’t using --force. The mistake is using it casually.

Warning: If you run npm audit fix --force before you know which package is changing and how you’ll validate it, you’re choosing uncertainty over engineering.

A sensible threshold looks like this:

| Situation | Use standard fix | Consider --force | Stop for manual work | |---|---|---|---| | Compatible patch exists | Yes | No | No | | Major version required in a non-critical path | No | Usually no | Often yes | | Critical production issue with good test coverage | No | Maybe | Maybe | | Poorly tested app or unclear dependency impact | No | No | Yes |

If you need a broader frame for why dependency decisions are really supply chain decisions, software supply chain security is the right lens.

The checklist before and after the command

Before you even think about running it:

Create a branch dedicated to the forced remediation.
Commit everything first so rollback is immediate.
Read changelogs for the major packages involved if the report names them.
Make sure your test suite is runnable locally and in CI.
Know your runtime smoke tests. Login, checkout, data writes, background jobs, anything business-critical.

Then run the command.

After that, don’t stop at a green install:

Run npm ls --depth=0 and look for odd version shifts or peer dependency surprises.
Run npm audit again to confirm what changed.
Run npm test.
Start the app and click through the flows that matter.

When I’d actually risk it

I’d consider --force in a production-facing service when the unresolved advisory is serious, the affected code is definitely in runtime use, and the team has enough test coverage to detect breakage quickly.

I would not use it as a clean-up shortcut before a release. That’s how teams turn a security task into an incident.

When Automation Fails A Playbook for Manual Remediation

This is the part people try to skip. They shouldn’t.

According to the 2025 State of JS report from UK-based Snyk, 62% of 1,200 UK respondents said npm audit fix resolved fewer than half their vulnerabilities, often leaving production dependency issues for manual intervention, as discussed in this critique of npm audit’s limitations.

That matches what most experienced Node developers already know. Automation is the first pass. The actual work often starts after it.

A hand holding a magnifying glass over a damaged robotic arm with a security playbook shown.

Trace the package before changing anything

Start with the package that remains vulnerable and ask one direct question: who is pulling it in?

Use:

npm ls package-name

That tree matters more than the audit summary. It shows whether the vulnerable package is:

a direct dependency you can upgrade yourself
a transitive dependency controlled by another package
duplicated in multiple branches of the tree
tied to an old parent package that probably needs replacing

Once you know the parent, the remediation path becomes clearer.

Four manual options that actually work

Upgrade the parent dependency

If package A depends on vulnerable package B, don’t fight B first. Check whether A has a newer release that already consumes a patched version.

This is the cleanest manual fix because it preserves a supported upgrade path.

Use `overrides` carefully

When the parent package hasn’t moved yet, package.json overrides can help force a safer transitive version. This can be effective, but it isn’t a free win. You’re asserting compatibility on behalf of packages that didn’t explicitly request that version.

Use it when you understand the dependency well enough to test the impact.

Field note: Overrides are a surgical tool, not a housekeeping tool. If you add one, document why it exists and revisit it later.

Inspect the upstream repository

Go to the package’s repository and check issues, pull requests, and recent releases. You’re looking for signs of life.

A maintainer may already have an open fix, a discussion about the advisory, or guidance on whether the issue is exploitable in common usage. If the package is stale and nobody is maintaining it, that tells you something important too.

Replace the package

Sometimes the right security fix is productively boring. Stop using the package.

If a dependency is poorly maintained, repeatedly vulnerable, or impossible to upgrade without hacks, it’s often cheaper to replace it now than to keep defending it every sprint.

A decision model for stubborn cases

Use this simple sequence:

Can I upgrade the direct parent cleanly?
If not, can I apply an override and prove it works in tests?
If not, is the package maintained enough to wait for upstream?
If not, should we replace or fork it?

That order keeps you from jumping straight into fragile workarounds.

When to stop chasing zero

Not every unresolved item deserves emergency effort. If a vulnerability sits in tooling that never reaches production, the right move may be to document the risk, watch for an upstream patch, and move on.

But if the issue affects runtime code and there’s no supported fix path, stop trying to make the audit output look clean. Make a maintenance decision. Fork, replace, or redesign the dependency away.

Automating Security Integrating Audits into Your CI/CD Pipeline

Running audits only on a developer laptop is too late and too inconsistent. Teams forget, postpone, or silence warnings when they’re under delivery pressure.

The better move is to push dependency checks into CI so every pull request gets the same treatment.

A hand-drawn illustration showing a secure software development pipeline with code scanning and deployment check stages.

That shift pays off. UK National Cyber Security Centre benchmarks show that UK startups integrating security scans into CI/CD achieve 40% higher fix adherence and cut mean time to remediation from 7 days to 2 days, according to npm’s guidance on auditing package dependencies.

A practical GitHub Actions example

Use a job like this as a starting point:

name: dependency-audit

on:
  pull_request:
  push:
    branches: [main]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install dependencies
        run: npm ci

      - name: Audit production dependencies
        run: npm audit --omit=dev --audit-level=high

This does three useful things:

npm ci installs from the lockfile for reproducible builds.
--omit=dev focuses on production dependencies.
--audit-level=high fails the job only for findings at high severity or above.

That’s a reasonable baseline for many apps.

Keep the gate useful, not noisy

If you make the pipeline too strict too early, developers will work around it. If you make it too loose, it becomes theatre.

A balanced setup usually means:

failing pull requests for high or critical production findings
reviewing lower-severity issues in scheduled maintenance
storing JSON output when you need historical comparisons
pairing the audit job with tests so upgrades and security checks stay connected

If you’re shaping a broader engineering workflow around this, DevOps automation is a helpful frame for making security checks part of the delivery process instead of a separate ceremony.

There’s also value in thinking of this as a wider application control, not just an npm command in CI. CI/CD security testing covers that mindset well.

A passing audit in CI doesn’t mean your app is secure. It means known dependency issues passed the gate you defined. That’s still worth doing.

Beyond the Fix A Mindset for Modern Security

npm audit fix is good at one job. It applies safe dependency updates when a supported path exists. That’s useful, but it’s a long way from complete security.

The durable workflow is straightforward. Read the report. Use the safe automated fix first. Consider --force only when the risk is justified and the rollback path is clear. When automation stalls, switch to manual remediation without pretending the tool should have solved everything.

Complex projects make those limits obvious. A 2025 UK NCSC advisory noted that 28% of reported npm vulnerabilities in UK mobile apps came from unfixable audits in shared monorepo workspaces, which is a strong reminder that automation struggles in complicated dependency layouts, as noted in the npm CLI monorepo issue discussion.

That’s why security hygiene has to outlive any single command. Dependency upgrades, package review, CI checks, and runtime security all need to reinforce each other. For a broader checklist beyond dependency auditing, PullNotifier's insights on app security is a useful companion read.

Trust the automation. Verify the result. That’s the habit that keeps npm audit fix useful instead of dangerous.

If you’re building on Supabase, Firebase, or shipping mobile apps, AuditYour.App helps you catch the security issues npm audit fix can’t see, including exposed RLS rules, public RPCs, leaked API keys, and hardcoded secrets in frontend bundles and app binaries. It’s a fast way to add an extra layer of confidence before release, whether you want a one-off scan or continuous checks baked into your workflow.