Dependency Vulnerability Scanning
The average Node.js app depends on hundreds of packages — and each one is a potential attack vector. Known vulnerabilities are published to the npm Advisory Database and NVD (National Vulnerability Database), assigned a CVE, and rated by severity. Supply-chain attacks (malicious packages, typosquatting, maintainer account takeovers) are increasingly common. This page covers the scanning tools, how to interpret results, update strategies, and how to evaluate whether a vulnerability actually affects you.
npm audit — built-in scanning
npm audit # check all dependencies against the advisory database npm audit --audit-level high # exit non-zero only for high/critical npm audit fix # auto-update to non-breaking patched versions npm audit fix --force # also update major versions (test carefully)
found 3 vulnerabilities (1 moderate, 2 high) # run npm audit fix to fix them, or npm audit for more details High severity vulnerability Package: jsonwebtoken Patched in: >=9.0.0 Dependency of: your-app Path: your-app > jsonwebtoken More info: https://github.com/advisories/GHSA-...
Third-party scanners
Tool | What it adds over |
|---|---|
| Deeper analysis, license checks, fix PRs, runtime monitoring |
| Supply-chain analysis — detects malicious packages, not just CVEs |
GitHub Dependabot | Automatic PRs when vulnerabilities are patched upstream |
Renovate | Automated dependency update PRs with configurable policy |
npx snyk test # test for vulnerabilities npx snyk monitor # continuously monitor in Snyk dashboard npx socket report package-lock.json # supply-chain analysis
Evaluating a vulnerability — not all are equal
For each vulnerability, ask: 1. REACHABILITY — does your app actually call the vulnerable code path? (A vulnerability in a package you import but don't use may not matter) 2. CONTEXT — the attack requires X (user input, network access, specific config)? (A server-side prototype pollution in a client-only lib may be theoretical) 3. SEVERITY — Critical/High vs Low/Moderate: how much damage if exploited? 4. FIX AVAILABLE — is there a patched version? (If yes, update. If not: mitigate, or find an alternative package)
Keeping dependencies current
# See what's outdated: npm outdated # Update a specific package: npm install package@latest # Interactive update with npx: npx npm-check-updates # shows all available updates npx npm-check-updates -u # writes latest versions to package.json (then npm install)
Supply-chain hygiene
Commit
package-lock.json— pins the exact resolved versions; prevents silent upgrades.Use
npm ciin CI/CD — installs exactly from the lockfile; fails if it's out of sync.Audit new packages before adding — check download count, GitHub activity, maintainer reputation.
Watch for typosquatting —
lodashis safe;1odash(with a 1) is not.Avoid installing packages with
--ignore-scriptsin automated contexts to prevent postinstall malware.Pin exact versions for critical packages in
package.jsonwhere drift risk is high.
In CI: fail on vulnerabilities
.github/workflows/security.yml (GitHub Actions)
- name: Run security audit run: npm audit --audit-level high # Exits non-zero on high/critical → fails the CI check