No known critical vulnerabilities in dependencies

Dependencies that are multiple major versions behind their current release accumulate unpatched CVEs — many of them publicly documented with working exploits and CVSS scores above 9.0. React 16 shipped before multiple prototype pollution and XSS fixes present in React 18+; Next.js 10 predates authentication bypass fixes in later versions. OWASP A06 (Vulnerable and Outdated Components) is the top-ranked supply chain risk for web apps. CWE-1104 (Use of Unmaintained Third Party Components) and SSDF PW.4.1 (Identify and confirm vulnerabilities in software) directly apply. Known-compromised packages like event-stream@3.3.6 are particularly dangerous because the malicious code runs in your build environment, not just at runtime.

Run npm audit to enumerate known vulnerabilities and apply automatic fixes where safe. Review the output for critical and high severity findings before accepting any changes.

# Enumerate all vulnerabilities
npm audit

# Apply safe automatic fixes
npm audit fix

# Force-fix breaking changes (review the diff before committing)
npm audit fix --force

For dependencies that can't be auto-fixed, check the advisory linked in the audit output for the manual upgrade path. Prioritize production dependencies over devDependencies — devDep vulnerabilities rarely affect deployed code. For ongoing supply chain monitoring, the Dependency & Supply Chain Audit covers lockfile integrity, typosquatting, and license compliance.

• ID: dependency-audit

• Severity: high

• What to look for: Count all production dependencies and devDependencies in package.json and examine the lock file for dependency health. This check cannot perform a live CVE audit — evaluate based on the following signals:

  1. Obviously outdated major versions — packages that appear to be multiple major versions behind their current release (e.g., "react": "^15.x" when React 18+ is current, "next": "^10.x" when Next.js 14+ is current).
  2. Known-problematic packages — packages with publicly documented supply chain compromise history (e.g., event-stream, ua-parser-js at affected versions, colors/faker at malicious versions).
  3. Lock file presence — a lock file ensures reproducible installs and is evaluated by the lockfile-present check.

• Pass criteria: Count all production dependencies in package.json. No dependency is more than 2 major versions behind its current release. No obviously deprecated or end-of-life packages detected. No known-compromised packages at affected versions. Report even on pass: "X production dependencies checked, Y devDependencies checked, Z outdated by 2+ major versions."

• Fail criteria: Any production dependency is more than 2 major versions behind its current release (e.g., React 16 when React 19 is current), or known-compromised packages detected at affected versions. No more than 0 known-compromised packages should be present.

• Error when: Cannot access package.json or lock file to evaluate dependencies.

• Skip (N/A) when: Never for web projects with a package manager.

• Detail on fail: "Production dependency react@16.14.0 is 3 major versions behind current (React 19) — exceeds 2-version threshold" or "Known-compromised package event-stream@3.3.6 found in dependencies"

• Remediation: Run npm audit (or pnpm audit / yarn audit) and fix critical vulnerabilities:

  npm audit fix
  

  For vulnerabilities that can't be auto-fixed, check the advisory for manual upgrade paths. Prioritize fixing production dependencies over devDependencies. For a deeper analysis of dependency risks, the Dependency & Supply Chain Audit covers this in detail.