Security advisories addressed

ab-002149 · code-quality-essentials.dependencies.security-advisories

Severity: highactive

Why it matters

OWASP A06 (Vulnerable and Outdated Components) is the most mechanically preventable entry on the OWASP Top 10 — npm audit flags high and critical vulnerabilities automatically, yet most projects never run it in CI. SSDF SP 800-218 PW.4.4 requires active vulnerability scanning of dependencies as a baseline software security practice. A high-severity advisory in a direct dependency (e.g., prototype pollution in lodash, RCE in an older serialize-javascript) can be fixed with a single npm audit fix — but only if you know it's there.

Severity rationale

High because unscanned dependencies can carry high or critical CVEs silently for months, with a trivial automated fix available that no one runs because auditing was never wired into CI.

Remediation

Add npm audit to your CI pipeline. It exits non-zero on findings at or above the specified level, blocking the build:

# .github/workflows/ci.yml
- name: Audit dependencies
  run: npm audit --audit-level=high

To fix current findings:

npm audit fix          # auto-fix compatible versions
npm audit fix --force  # upgrade to breaking versions (review changes carefully)
npm audit              # see remaining issues requiring manual intervention

Add to package.json for local runs:

{ "scripts": { "audit:ci": "npm audit --audit-level=high" } }

Detection

ID: security-advisories
Severity: high
What to look for: Check whether npm audit (or equivalent) is part of the development workflow. Look for an audit script in package.json scripts. Check CI/CD workflow files in .github/workflows/ for npm audit --audit-level=high or similar commands. If the CI does not run an audit, there is no automated mechanism to catch new vulnerabilities introduced when dependencies are updated. For a manual check: mentally scan package.json for well-known historically vulnerable packages (e.g., older express versions, serialize-javascript below 6.0.2, lodash below 4.17.21, path-parse below 1.0.7) and note their versions. Security advisories at the high and critical level are the pass/fail threshold.
Pass criteria: Enumerate all relevant code locations. npm audit runs in CI (or equivalent), OR the project has no high/critical vulnerabilities in its current dependency tree. Audit command present in package.json scripts or CI workflow with at least 1 verified location.
Fail criteria: No security audit step in CI and no evidence of manual audit; or known high/critical advisories are present in the current dependencies.
Skip (N/A) when: Not a Node.js project.
Detail on fail: "No npm audit step found in CI or package.json scripts; high/critical vulnerabilities may go undetected"

Remediation: Add security auditing to your CI pipeline. For GitHub Actions:

# .github/workflows/ci.yml
- name: Audit dependencies
  run: npm audit --audit-level=high

To fix current vulnerabilities:

npm audit fix          # auto-fix compatible versions
npm audit fix --force  # upgrade to breaking versions (review changes)
npm audit              # see remaining issues requiring manual intervention

Add to package.json for local runs:

{ "scripts": { "audit:ci": "npm audit --audit-level=high" } }

External references

cwe · CWE-1395 — Dependency on Vulnerable Third-Party Component
owasp:2021 · A06 — Vulnerable and Outdated Components
ssdf:800-218 · PW.4.4 — Verify third-party software is compliant with security requirements

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from code-quality-essentials·automated

Why it matters

Remediation

Add npm audit to your CI pipeline. It exits non-zero on findings at or above the specified level, blocking the build:

# .github/workflows/ci.yml
- name: Audit dependencies
  run: npm audit --audit-level=high

To fix current findings:

npm audit fix          # auto-fix compatible versions
npm audit fix --force  # upgrade to breaking versions (review changes carefully)
npm audit              # see remaining issues requiring manual intervention

Add to package.json for local runs:

{ "scripts": { "audit:ci": "npm audit --audit-level=high" } }

Detection

ID: security-advisories
Severity: high
What to look for: Check whether npm audit (or equivalent) is part of the development workflow. Look for an audit script in package.json scripts. Check CI/CD workflow files in .github/workflows/ for npm audit --audit-level=high or similar commands. If the CI does not run an audit, there is no automated mechanism to catch new vulnerabilities introduced when dependencies are updated. For a manual check: mentally scan package.json for well-known historically vulnerable packages (e.g., older express versions, serialize-javascript below 6.0.2, lodash below 4.17.21, path-parse below 1.0.7) and note their versions. Security advisories at the high and critical level are the pass/fail threshold.
Pass criteria: Enumerate all relevant code locations. npm audit runs in CI (or equivalent), OR the project has no high/critical vulnerabilities in its current dependency tree. Audit command present in package.json scripts or CI workflow with at least 1 verified location.
Fail criteria: No security audit step in CI and no evidence of manual audit; or known high/critical advisories are present in the current dependencies.
Skip (N/A) when: Not a Node.js project.
Detail on fail: "No npm audit step found in CI or package.json scripts; high/critical vulnerabilities may go undetected"

Remediation: Add security auditing to your CI pipeline. For GitHub Actions:

# .github/workflows/ci.yml
- name: Audit dependencies
  run: npm audit --audit-level=high

To fix current vulnerabilities:

npm audit fix          # auto-fix compatible versions
npm audit fix --force  # upgrade to breaking versions (review changes)
npm audit              # see remaining issues requiring manual intervention

Add to package.json for local runs:

{ "scripts": { "audit:ci": "npm audit --audit-level=high" } }