惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
Y
Y Combinator Blog
T
The Blog of Author Tim Ferriss
云风的 BLOG
云风的 BLOG
H
Help Net Security
Recorded Future
Recorded Future
The Register - Security
The Register - Security
F
Full Disclosure
N
Netflix TechBlog - Medium
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hackread – Cybersecurity News, Data Breaches, AI and More
爱范儿
爱范儿
Security Archives - TechRepublic
Security Archives - TechRepublic
Simon Willison's Weblog
Simon Willison's Weblog
Cisco Talos Blog
Cisco Talos Blog
I
InfoQ
T
Tenable Blog
T
Tor Project blog
人人都是产品经理
人人都是产品经理
D
DataBreaches.Net
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
博客园 - 叶小钗
B
Blog
V
V2EX
Jina AI
Jina AI
L
LangChain Blog
月光博客
月光博客
W
WeLiveSecurity
U
Unit 42
AWS News Blog
AWS News Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 聂微东
V
Visual Studio Blog
A
Arctic Wolf
T
Tailwind CSS Blog
The Cloudflare Blog
SecWiki News
SecWiki News
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
宝玉的分享
宝玉的分享
MyScale Blog
MyScale Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Securelist
www.infosecurity-magazine.com
www.infosecurity-magazine.com
腾讯CDC
雷峰网
雷峰网

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
npm Package Security — How to Find and Fix Vulnerable Dependencies in Your Node.js Application
Vulert · 2026-05-05 · via DEV Community

npm package security is one of the hardest parts of modern Node.js security because the npm ecosystem is massive. The npm registry has more than 2 million packages, making it the largest software registry in the world. That scale helps developers build quickly, but it also creates security risk: abandoned packages, vulnerable transitive dependencies, typosquatting, malicious releases, and supply chain attacks can enter an application through a single install command.

Most Node.js teams do not ship only the packages listed in package.json. The real dependency tree lives in package-lock.json, where direct and transitive packages are pinned. That file can include hundreds or thousands of packages. If one nested dependency has a known CVE, your app may still be affected even if your developers never imported that package directly.

This npm package security guide is written for Node.js developers and engineering leads who need a practical way to find vulnerable packages, fix risky dependencies, and monitor new CVEs after deployment.

This guide explains how to audit npm dependencies, where npm audit helps, where it falls short, which historical npm packages deserve extra attention, how to scan package-lock.json, how to fix vulnerable packages safely, and how to add npm security checks to GitHub Actions.

The npm Package Security Landscape

The npm ecosystem is fast, open, and highly interconnected. That creates three major risk categories: known vulnerabilities, malicious supply chain activity, and dependency maintenance problems. A package can be vulnerable because of a coding flaw, malicious because a maintainer account was compromised, or risky because it is abandoned and no longer receives fixes.

The challenge with npm package security is that risk rarely comes only from the packages your team installs directly. Vulnerabilities can enter through transitive dependencies, abandoned packages, compromised maintainer accounts, or malicious packages hidden deep in the dependency tree.

  • Known CVEs: Packages such as lodash, minimist, follow-redirects, axios, and node-fetch have had publicly tracked vulnerabilities affecting real applications.
  • Supply chain attacks: The event-stream incident showed how a malicious dependency, flatmap-stream, could enter a trusted package and target downstream users.
  • Typosquatting: Attackers publish packages with names similar to popular libraries so developers accidentally install the wrong dependency.
  • Abandoned packages: Some packages remain widely installed even after maintainers stop updating them, leaving users stuck with unresolved vulnerabilities.
  • Transitive risk: A vulnerable package can appear deep inside the dependency tree even when it is not listed directly in package.json.

The key lesson is simple: you cannot secure a Node.js application by reading package.json alone. You need to inspect the full resolved dependency tree.

Where npm Audit Helps npm Package Security — and Where It Falls Short

npm audit is the built-in npm command for checking project dependencies against known vulnerability advisories. It submits dependency information from your project to the configured npm registry and returns a report of known vulnerabilities. When possible, npm audit fix applies compatible updates to the package tree.

npm audit
npm audit --audit-level=high
npm audit --json
npm audit fix

Enter fullscreen mode Exit fullscreen mode

This is useful and should be part of your workflow. But npm audit is not a complete npm package security program by itself.

  • It depends on advisory coverage: If a vulnerability, malicious behavior, or supply chain compromise is not represented in the advisory source used by your registry, the audit may not flag it.
  • Transitive fixes can be unclear: A vulnerable transitive dependency often requires upgrading the parent package, using overrides, or waiting for an upstream maintainer to release a fix.
  • Output can be noisy: Large applications may produce long reports that make it hard to decide which package update removes the most risk.
  • Zero findings do not mean zero risk: A clean audit result does not detect all malicious package behavior, typosquatting, abandoned maintenance, or non-CVE supply chain risk.
  • Force fixes can break applications: npm audit fix --force may introduce semver-major upgrades, so teams should test carefully before merging.

Tip: Use npm audit as a baseline check, but combine it with lockfile scanning, CI/CD enforcement, manual review of risky packages, and continuous monitoring for new CVEs.

Historically Vulnerable npm Packages to Watch

A strong npm package security process should pay special attention to packages that appear across millions of projects or have a long history of public advisories.

The table below highlights npm packages that frequently appear in dependency security conversations. Counts vary by vulnerability database and date, so treat the “known CVE/advisory footprint” column as a practical signal, not a live authoritative total.

Package Common Risk Pattern Known CVE / Advisory Footprint Example Issue What to Check
lodash Prototype pollution and object path handling issues. Multiple public CVEs/advisories over several years. CVE-2020-8203 and other prototype pollution advisories. Confirm current version and check whether it appears directly or transitively.
minimist Prototype pollution through argument parsing. Multiple notable prototype pollution advisories. CVE-2021-44906 affects vulnerable minimist versions. Upgrade to a patched minimist version or update the parent dependency.
follow-redirects Information exposure during redirects. Multiple public advisories across versions. Older versions leaked sensitive information in redirect scenarios. Check direct use and axios-related transitive usage.
axios SSRF, credential exposure, denial of service, and redirect-related risks. Multiple public advisories across versions. Several axios advisories affect request handling and redirect behavior. Use a trusted version, review lockfile changes, and avoid unreviewed automatic upgrades.
node-fetch Information exposure when following redirects. At least one major public CVE/advisory. CVE-2022-0235 forwarded sensitive headers to untrusted sites. Upgrade to patched versions and review redirect behavior in server-side code.

How to Audit package-lock.json for npm Package Security

package.json shows what your project requests. package-lock.json shows what npm actually resolved. For serious npm package security, the lockfile matters because it includes transitive dependencies, exact versions, resolved package URLs, integrity hashes, and nested dependency relationships.

Start with basic inspection:

npm ls
npm ls lodash
npm ls minimist
npm ls follow-redirects
npm ls axios
npm ls node-fetch

Enter fullscreen mode Exit fullscreen mode

Search the lockfile directly:

grep -n "\"lodash\"" package-lock.json
grep -n "\"minimist\"" package-lock.json
grep -n "\"follow-redirects\"" package-lock.json
grep -n "\"axios\"" package-lock.json
grep -n "\"node-fetch\"" package-lock.json

Enter fullscreen mode Exit fullscreen mode

For a JSON-based view, use Node.js to find installed versions from the lockfile:

node -e "const lock=require('./package-lock.json'); for (const [k,v] of Object.entries(lock.packages||{})) if(k.includes('node_modules/lodash')) console.log(k, v.version)"

Enter fullscreen mode Exit fullscreen mode

Then compare the installed versions against advisories or scan the file with an SCA tool. Manual grep is useful for quick checks, but it does not scale well across many projects or thousands of dependencies.

npm Commands for Fixing Vulnerabilities

The safest fix depends on whether the vulnerable package is direct or transitive. If it is direct, upgrade it explicitly. If it is transitive, upgrade the parent package or use npm overrides when appropriate.

Run the standard audit fix first:

npm audit fix

Enter fullscreen mode Exit fullscreen mode

Use force only when you understand the breaking-change risk:

npm audit fix --force

Enter fullscreen mode Exit fullscreen mode

Upgrade a direct dependency to a known safe version:

npm install lodash@latest
npm install minimist@latest
npm install follow-redirects@latest
npm install axios@latest
npm install node-fetch@latest

Enter fullscreen mode Exit fullscreen mode

Install a specific patched version when your application needs version control:

npm install lodash@4.17.21
npm install minimist@1.2.8
npm install node-fetch@2.6.7

Enter fullscreen mode Exit fullscreen mode

If a vulnerable transitive dependency cannot be fixed through the parent package immediately, use overrides in package.json with caution:

{
  "overrides": {
    "minimist": "1.2.8",
    "follow-redirects": "1.15.6"
  }
}

Enter fullscreen mode Exit fullscreen mode

After applying fixes, reinstall and retest:

rm -rf node_modules
npm ci
npm test
npm audit --audit-level=high

Enter fullscreen mode Exit fullscreen mode

Tip: Do not commit dependency fixes without reviewing package-lock.json. Most npm dependency security changes happen in the lockfile, not just in package.json.

Where npm audit Falls Short for Transitive Dependencies

npm audit can report transitive dependency vulnerabilities, but fixing them is often the hard part. If a vulnerable package is nested under another library, the direct fix may not be npm install vulnerable-package@fixed-version. The correct fix may be to upgrade the parent dependency that brought it in.

For example, if follow-redirects appears through axios, upgrading follow-redirects directly may not be enough if the dependency is locked under the parent package. You may need to upgrade axios, use an override, or wait for a compatible upstream release.

This is why package grouping matters. A long list of 60 CVEs may come from only a few packages. A good workflow should show the package upgrade that removes the most risk, not only the individual CVE list.

Upload package-lock.json to Vulert for a Comprehensive Scan

Vulert can analyze package-lock.json and yarn.lock files for JavaScript and Node.js projects. This is useful when you want a fast dependency report without connecting a repository or installing an agent. Uploading the lockfile gives the scanner visibility into the resolved dependency tree, including transitive dependencies.

For npm package security, Vulert helps by showing affected packages, vulnerable versions, CVSS scores, fixed versions, and fix guidance. It also supports continuous monitoring, so your team can get alerts when a new CVE affects dependencies already used by your application.

This is useful for teams that need more than a one-time terminal result. Developers can fix the package, engineering leads can prioritize by package health, and teams using Jira can turn findings into trackable remediation work.

Add npm Security Scanning to GitHub Actions

For teams running production Node.js applications, npm package security should be part of CI/CD, not a manual task developers remember only before releases.

Add a basic security check to your CI/CD pipeline so vulnerable dependencies are caught before deployment. This example uses npm ci, runs tests, and fails the workflow for high or critical npm audit findings.

name: Node.js Dependency Security

on:
  pull_request:
  push:
    branches:
      - main

jobs:
  npm-security:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run tests
        run: npm test

      - name: Audit npm dependencies
        run: npm audit --audit-level=high

Enter fullscreen mode Exit fullscreen mode

This workflow is a good baseline. Mature teams may add scheduled scans, SARIF uploads, security issue creation, dependency review, or a separate SCA scanner for deeper reporting and continuous monitoring.

Practical npm Package Security Workflow

A sustainable npm package security workflow should be simple enough for developers to follow and strict enough to catch real risk. Use this sequence for most Node.js applications:

  • Scan the lockfile: Use package-lock.json as the primary source because it contains exact resolved versions and transitive dependencies.
  • Prioritize by severity and exposure: Fix critical and high vulnerabilities first, especially in production services and internet-facing applications.
  • Group by package: Upgrade packages that remove multiple vulnerabilities instead of opening separate tickets for every CVE.
  • Test every upgrade: Run unit tests, integration tests, and build checks because dependency upgrades can introduce breaking behavior.
  • Monitor continuously: New CVEs appear after release, so scan again after deployment and alert the team when risk changes.

Key Takeaways

  • npm package security starts with the lockfile: package-lock.json shows the exact resolved dependency tree, including transitive packages.
  • npm audit is useful but not complete: It helps identify known vulnerabilities, but it does not detect every supply chain risk or always provide clear remediation for nested dependencies.
  • Historically risky packages deserve special attention: Watch packages such as lodash, minimist, follow-redirects, axios, and node-fetch.
  • Fixes require testing: npm audit fix --force can introduce breaking changes, so use it carefully and test before merging.
  • CI/CD scanning prevents risky changes from shipping: GitHub Actions can fail builds when high or critical dependency vulnerabilities appear.
  • Continuous monitoring matters: A clean scan today does not mean your dependencies will stay safe after new CVEs are disclosed.

Frequently Asked Questions

Can npm audit show zero vulnerabilities while risk still exists?

Yes. A zero-vulnerability audit result only means npm did not find known advisories for the submitted dependency tree. It does not prove the project is free from malicious package behavior, typosquatting, abandoned packages, private advisory gaps, or future CVEs.

How often should Node.js dependencies be scanned?

Scan during pull requests, before releases, and continuously after deployment. Daily monitoring is a good baseline for many teams, while critical production apps may need faster alerts for newly disclosed CVEs.

Can Vulert scan package-lock.json?

Yes. Vulert supports package-lock.json and yarn.lock for Node.js projects. It can analyze dependencies, identify known vulnerabilities, show fix guidance, and support continuous monitoring.