Unpatched dependencies are the most common initial access vector in supply-chain attacks: a single vulnerable lodash or express version can expose every application built with it once a public exploit drops. NIST 800-53 rev5 SI-2 (Flaw Remediation) requires timely patching; RA-5 (Vulnerability Monitoring and Scanning) mandates continuous scanning. FedRAMP rev5 SI-2 sets a 30-day remediation window for high-severity findings. CWE-1357 and SLSA L2 both address dependency provenance and vulnerability management. CI/CD pipelines that never run npm audit provide a false sense of security — vulnerabilities accumulate silently across every merge.
Low because known dependency vulnerabilities require a secondary exploit path specific to how the library is used, but they represent pre-positioned risk that attackers target at scale.
Add npm audit --audit-level=high to your CI pipeline as a required check and configure Dependabot to open PRs for security updates within 24 hours of disclosure.
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: daily
open-pull-requests-limit: 10
groups:
security:
applies-to: security-updates
update-types: [minor, patch]
# .github/workflows/security.yml
name: Dependency Audit
on: [push, pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: '20' }
- run: npm ci
- run: npm audit --audit-level=high
Run npm audit fix immediately for any critical or high findings already in the lockfile. Use npm audit --json to integrate results into a SIEM or tracking ticket.
ID: gov-fisma-fedramp.system-protection.dependency-vulnerabilities
Severity: low
What to look for: Count all production dependencies in package.json. Check package-lock.json or yarn.lock for vulnerability entries, look for npm audit or yarn audit configuration, and check for CI/CD workflows that run security scans. Search for any GitHub security alerts or Dependabot configuration (.github/dependabot.yml). Look at the age of dependencies — very old dependencies often have known vulnerabilities.
Pass criteria: Dependency vulnerabilities are tracked (via npm audit, yarn audit, Snyk, or similar). No more than 0 critical or high vulnerabilities remain unremediated. A CI/CD workflow runs security checks on every pull request. Dependabot or similar is configured to auto-update dependencies. Report even on pass: report the count of production dependencies checked and the number of vulnerabilities found.
Fail criteria: No vulnerability tracking found, known vulnerabilities in dependencies are ignored, or CI/CD doesn't check for vulnerabilities.
Skip (N/A) when: Never — all projects with npm dependencies should track vulnerabilities.
Detail on fail: Specify the gaps. Example: "npm audit shows 3 high and 2 critical vulnerabilities in express and lodash. No CI/CD workflow runs npm audit. Dependabot not configured."
Remediation: Enable dependency vulnerability tracking:
# Run npm audit to identify vulnerabilities
npm audit
# Fix known vulnerabilities
npm audit fix
# Enable Dependabot in GitHub (Settings > Security & analysis > Enable Dependabot)
# Or add dependabot.yml:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'daily'
open-pull-requests-limit: 5
Add npm audit to your CI/CD:
# .github/workflows/security.yml
name: Security
on: [push, pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: npm audit --audit-level=moderate