Your npm packages are a security risk. Here's what to do.

The average Node.js project has hundreds of dependencies. You wrote maybe 5% of the code running in your app. The rest came from npm. Every package in that tree is potential attack surface.

Supply chain attacks are real

In 2021, ua-parser-js — a package with 8 million weekly downloads — was compromised. The attacker published a malicious version that installed a cryptocurrency miner and a password stealer on any machine that ran it. Thousands of projects were affected.

How to check for known vulnerabilities

npm audit

This checks your dependency tree against the npm security advisory database. Run it. Fix the high and critical issues. Most of them have a npm audit fix solution.

For a more detailed view, tools like snyk scan for vulnerabilities and also track which packages are unmaintained:

npx snyk test

What to do about it

• Run npm audit on every PR via CI — don't let new vulns merge
• Update dependencies regularly — most teams do this monthly
• Pin exact versions (npm ci uses package-lock.json) rather than letting npm float to latest
• Review what packages you actually use. depcheck finds unused dependencies. Remove them.
• For anything handling payments or authentication, read the package changelogs

The code you didn't write is still your responsibility.