Dependencies that are multiple major versions behind their current release accumulate unpatched CVEs — many of them publicly documented with working exploits and CVSS scores above 9.0. React 16 shipped before multiple prototype pollution and XSS fixes present in React 18+; Next.js 10 predates authentication bypass fixes in later versions. OWASP A06 (Vulnerable and Outdated Components) is the top-ranked supply chain risk for web apps. CWE-1104 (Use of Unmaintained Third Party Components) and SSDF PW.4.1 (Identify and confirm vulnerabilities in software) directly apply. Known-compromised packages like event-stream@3.3.6 are particularly dangerous because the malicious code runs in your build environment, not just at runtime.
High because critically outdated production dependencies carry known, publicly documented CVEs with working exploits that attackers can apply without any reconnaissance.
Run npm audit to enumerate known vulnerabilities and apply automatic fixes where safe. Review the output for critical and high severity findings before accepting any changes.
# Enumerate all vulnerabilities
npm audit
# Apply safe automatic fixes
npm audit fix
# Force-fix breaking changes (review the diff before committing)
npm audit fix --force
For dependencies that can't be auto-fixed, check the advisory linked in the audit output for the manual upgrade path. Prioritize production dependencies over devDependencies — devDep vulnerabilities rarely affect deployed code. For ongoing supply chain monitoring, the Dependency & Supply Chain Audit covers lockfile integrity, typosquatting, and license compliance.
ID: security-headers.basic-hygiene.dependency-audit
Severity: high
What to look for: Count all production dependencies and devDependencies in package.json and examine the lock file for dependency health. This check cannot perform a live CVE audit — evaluate based on the following signals:
"react": "^15.x" when React 18+ is current, "next": "^10.x" when Next.js 14+ is current).event-stream, ua-parser-js at affected versions, colors/faker at malicious versions).lockfile-present check.Pass criteria: Count all production dependencies in package.json. No dependency is more than 2 major versions behind its current release. No obviously deprecated or end-of-life packages detected. No known-compromised packages at affected versions. Report even on pass: "X production dependencies checked, Y devDependencies checked, Z outdated by 2+ major versions."
Fail criteria: Any production dependency is more than 2 major versions behind its current release (e.g., React 16 when React 19 is current), or known-compromised packages detected at affected versions. No more than 0 known-compromised packages should be present.
Error when: Cannot access package.json or lock file to evaluate dependencies.
Skip (N/A) when: Never for web projects with a package manager.
Detail on fail: "Production dependency react@16.14.0 is 3 major versions behind current (React 19) — exceeds 2-version threshold" or "Known-compromised package event-stream@3.3.6 found in dependencies"
Remediation: Run npm audit (or pnpm audit / yarn audit) and fix critical vulnerabilities:
npm audit fix
For vulnerabilities that can't be auto-fixed, check the advisory for manual upgrade paths. Prioritize fixing production dependencies over devDependencies. For a deeper analysis of dependency risks, the Dependency & Supply Chain Audit covers this in detail.