[{"data":1,"prerenderedAt":317},["ShallowReactive",2],{"blog-vulnerabilities/vulnerable-dependencies":3},{"id":4,"title":5,"body":6,"category":297,"date":298,"dateModified":298,"description":299,"draft":300,"extension":301,"faq":302,"featured":300,"headerVariant":303,"image":302,"keywords":302,"meta":304,"navigation":305,"ogDescription":306,"ogTitle":302,"path":307,"readTime":308,"schemaOrg":309,"schemaType":310,"seo":311,"sitemap":312,"stem":313,"tags":314,"twitterCard":315,"__hash__":316},"blog/blog/vulnerabilities/vulnerable-dependencies.md","Vulnerable Dependencies Explained",{"type":7,"value":8,"toc":285},"minimark",[9,21,26,29,42,46,51,65,69,134,138,141,168,177,181,214,227,249,273],[10,11,12],"tldr",{},[13,14,15,16,20],"p",{},"Your app includes hundreds of npm packages, and any of them might have security vulnerabilities. Run ",[17,18,19],"code",{},"npm audit"," regularly to find known issues. Set up Dependabot or similar tools for automatic alerts. Not all vulnerabilities are exploitable in your context, but critical ones should be patched quickly.",[22,23,25],"h2",{"id":24},"what-are-vulnerable-dependencies","What Are Vulnerable Dependencies?",[13,27,28],{},"When you install packages with npm or yarn, you're adding third-party code to your application. A typical JavaScript project might have 500-2000 packages when you count all nested dependencies. Any of these could contain:",[30,31,32,36,39],"ul",{},[33,34,35],"li",{},"Security vulnerabilities discovered after release",[33,37,38],{},"Malicious code inserted by compromised maintainers",[33,40,41],{},"Bugs that can be exploited",[22,43,45],{"id":44},"how-to-find-vulnerable-dependencies","How to Find Vulnerable Dependencies",[47,48,50],"h3",{"id":49},"_1-npm-audit","1. npm audit",[52,53,55],"code-block",{"label":54},"Check for known vulnerabilities",[56,57,62],"pre",{"className":58,"code":60,"language":61},[59],"language-text","# Run audit\nnpm audit\n\n# See detailed report\nnpm audit --json\n\n# Auto-fix where possible\nnpm audit fix\n\n# Force fix (may have breaking changes)\nnpm audit fix --force\n","text",[17,63,60],{"__ignoreMap":64},"",[47,66,68],{"id":67},"_2-automated-tools","2. Automated Tools",[70,71,72,88],"table",{},[73,74,75],"thead",{},[76,77,78,82,85],"tr",{},[79,80,81],"th",{},"Tool",[79,83,84],{},"Cost",[79,86,87],{},"Features",[89,90,91,103,114,124],"tbody",{},[76,92,93,97,100],{},[94,95,96],"td",{},"Dependabot",[94,98,99],{},"Free (GitHub)",[94,101,102],{},"Auto PRs, security alerts",[76,104,105,108,111],{},[94,106,107],{},"Snyk",[94,109,110],{},"Free tier available",[94,112,113],{},"Deep scanning, fix suggestions",[76,115,116,119,121],{},[94,117,118],{},"Socket.dev",[94,120,110],{},[94,122,123],{},"Supply chain analysis",[76,125,126,128,131],{},[94,127,19],{},[94,129,130],{},"Free",[94,132,133],{},"Built-in, basic reporting",[22,135,137],{"id":136},"understanding-vulnerability-severity","Understanding Vulnerability Severity",[13,139,140],{},"Not all vulnerabilities are equally dangerous:",[30,142,143,150,156,162],{},[33,144,145,149],{},[146,147,148],"strong",{},"Critical:"," Remote code execution, data breach possible. Fix immediately.",[33,151,152,155],{},[146,153,154],{},"High:"," Significant impact. Prioritize fixing.",[33,157,158,161],{},[146,159,160],{},"Medium:"," Limited impact or harder to exploit. Plan to fix.",[33,163,164,167],{},[146,165,166],{},"Low:"," Minimal impact. Fix when convenient.",[169,170,171],"warning-box",{},[13,172,173,176],{},[146,174,175],{},"Context matters:"," A vulnerability in a dev-only dependency (like a testing library) is less critical than one in your production code. A vulnerability requiring specific conditions you don't have might not affect you.",[22,178,180],{"id":179},"best-practices","Best Practices",[182,183,184,190,196,202,208],"ol",{},[33,185,186,189],{},[146,187,188],{},"Run npm audit in CI:"," Fail builds on critical vulnerabilities",[33,191,192,195],{},[146,193,194],{},"Enable Dependabot:"," Get automatic PRs for security updates",[33,197,198,201],{},[146,199,200],{},"Use lockfiles:"," Ensure consistent versions across environments",[33,203,204,207],{},[146,205,206],{},"Review new dependencies:"," Check popularity, maintenance, known issues",[33,209,210,213],{},[146,211,212],{},"Remove unused packages:"," Less code means less risk",[215,216,217],"success-box",{},[13,218,219,222,223,226],{},[146,220,221],{},"Pro tip:"," Use ",[17,224,225],{},"npx depcheck"," to find unused dependencies you can safely remove.",[228,229,230,237,243],"faq-section",{},[231,232,234],"faq-item",{"question":233},"Should I fix every npm audit warning?",[13,235,236],{},"Focus on critical and high severity first. For lower severity or dev-only dependencies, assess if the vulnerability is actually exploitable in your context before rushing to update.",[231,238,240],{"question":239},"What if there's no fix available?",[13,241,242],{},"Options include: waiting for maintainer to patch, finding an alternative package, forking and fixing yourself, or implementing workarounds that prevent exploitation.",[231,244,246],{"question":245},"How often should I update dependencies?",[13,247,248],{},"Security updates should be applied as soon as practical. Regular updates (monthly or quarterly) for non-security changes help prevent accumulating too much technical debt.",[250,251,252,258,263,268],"related-articles",{},[253,254],"related-card",{"description":255,"href":256,"title":257},"How a supply chain attack published 900 malicious packages on npm","/blog/stories/openclaw-malicious-packages","OpenClaw's 900 Malicious npm Packages",[253,259],{"description":260,"href":261,"title":262},"Tool comparison","/blog/comparisons","Snyk vs Dependabot",[253,264],{"description":265,"href":266,"title":267},"Repo security settings","/blog/checklists/github-repo-checklist","GitHub Security Checklist",[253,269],{"description":270,"href":271,"title":272},"Common npm vulnerability","/blog/vulnerabilities/prototype-pollution","Prototype Pollution",[274,275,278,282],"cta-box",{"href":276,"label":277},"/","Start Free Scan",[22,279,281],{"id":280},"scan-your-dependencies","Scan Your Dependencies",[13,283,284],{},"Our scanner checks your package.json for known vulnerabilities.",{"title":64,"searchDepth":286,"depth":286,"links":287},2,[288,289,294,295,296],{"id":24,"depth":286,"text":25},{"id":44,"depth":286,"text":45,"children":290},[291,293],{"id":49,"depth":292,"text":50},3,{"id":67,"depth":292,"text":68},{"id":136,"depth":286,"text":137},{"id":179,"depth":286,"text":180},{"id":280,"depth":286,"text":281},"vulnerabilities","2026-01-27","Third-party packages can contain security vulnerabilities that put your app at risk. Learn how to find and fix vulnerable dependencies in your vibe-coded projects.",false,"md",null,"red",{},true,"Learn how vulnerable npm packages can affect your app and how to keep dependencies secure.","/blog/vulnerabilities/vulnerable-dependencies","7 min read","[object Object]","TechArticle",{"title":5,"description":299},{"loc":307},"blog/vulnerabilities/vulnerable-dependencies",[],"summary_large_image","XGTlMxXA9j-zQUbbIiBGs0apP2gk9c3hw5P97xkD3b0",1775843926348]