What's the feature?

Create a flag npm audit --ci or npm audit --output-json, which will output a machine parseable string of the information, e.g. in JSON.

What problem is the feature intended to solve?

The general availability of npm audit in npm 6 is awesome and will help make applications build with node a lot more secure. However, the current output of npm is not really machine parseable and hinders the usage in CICD pipelines.

Is the absence of this feature blocking you or your team? If so, how?

Yes. The summary is currently saved as an artifact in our CICD-pipeline, but we are reluctant to parse the human readable output. We would like to make sure, that no high-priority security problems are present and would like the build to break in that case.

A possible solution with the JSON output would allow us to use tools like jq to effectively query and act upon in scripts and would allow users very fine-grained options.

An easier solution (but not as powerful) would be a switch like npm audit --error-severity high, where npm would exit with a POSIX error code of not 0, if a security problem of severity greater or equal than [low|medium|high] was found.

Is this feature similar to an existing feature in another tool?

Yes - other security scanners provide machine-readable output options.

Is this a feature you're prepared to implement, with support from the npm CLI team?

We could help with that.