Safeguard
Vulnerabilities

npm Security Vulnerabilities: How to Track Them

A practical system for tracking npm security vulnerabilities across a real dependency tree, why you shouldn't rely on npm check vulnerabilities output alone, and what to automate.

Safeguard Team
Product
5 min read

Tracking npm security vulnerabilities properly means running continuous, automated scanning tied to your actual dependency graph — not a one-time npm audit before a release — because new advisories are published against packages you already have installed just as often as new vulnerable versions get published. A dependency that was clean last month can become a finding today purely because a researcher disclosed a new CVE against a version you've been running unchanged for a year. Treating vulnerability tracking as a point-in-time check misses the majority of real findings, which show up between releases, not during them.

Why isn't running npm check vulnerabilities once enough?

Running npm audit — the built-in way to npm check vulnerabilities — gives you a snapshot against the current state of the GitHub Advisory Database at the moment you run it, and that snapshot goes stale the instant a new advisory is published or a new dependency gets added. Most teams run it manually before a release and treat a clean result as durable, but the advisory database is updated continuously, and a package you shipped as "clean" last Tuesday can have a critical CVE disclosed against it next Tuesday with no code change on your end at all. The practical fix is running the check on a schedule — nightly, at minimum — independent of your release cadence, and wiring it into CI so every pull request that touches package.json or the lockfile triggers a fresh check rather than relying on whoever remembers to run it manually before shipping.

What does a real npm security vulnerabilities tracking system look like?

A working system has three components: automated scanning on every commit and on a schedule, a triage step that separates reachable findings from unreachable ones, and a clear ownership path for who fixes what and by when. The scanning part is table stakes — most CI systems can run npm audit or a dedicated SCA tool as a pipeline step. The triage part is where teams either succeed or drown: raw npm audit output lists every CVE matched against your dependency tree regardless of whether your code calls the vulnerable function, and a large fraction of those findings sit in transitive dependencies of build tooling that never ships to production. Layering reachability analysis on top — determining whether a vulnerable function in, say, a deeply nested minimist dependency is actually invoked by code your application executes — is what turns a 200-item audit report into a 12-item action list a team can actually clear.

How do you prioritize which npm security vulnerabilities to fix first?

Prioritize by a combination of severity, reachability, and exposure — not by CVSS score alone, since a critical CVSS score in a dependency your code never calls is lower real risk than a medium-severity issue sitting directly behind an unauthenticated API endpoint. A useful triage order: reachable critical and high findings in production dependencies first, reachable findings in anything internet-facing second, and everything else — unreachable findings, devDependency-only issues, low-severity findings in internal tools — batched into a lower-priority backlog reviewed monthly rather than blocking any release. This mirrors how the broader SCA product approach handles prioritization across ecosystems, since the npm-specific problem (huge transitive trees, install-time script execution, frequent publishing) is really a sharper version of the general dependency-risk problem every ecosystem faces to some degree.

What should be automated versus handled manually?

Automate the detection, the reachability check, and — wherever a safe minimal version bump exists — the fix itself as an auto-generated pull request tested against your existing CI before a human ever looks at it. Reserve manual attention for the genuinely hard cases: a vulnerable package with no fixed version yet, a major-version bump required to resolve the CVE that risks breaking changes, or a package that's been abandoned entirely and needs replacing rather than upgrading. Combining automated SCA with SAST and DAST scanning closes the loop further, since a vulnerability disclosed against an npm package your team owns and publishes (not just consumes) needs source-level scanning too, not just dependency-tree matching.

Safeguard scans npm dependency trees continuously rather than at release checkpoints, applies reachability analysis to cut raw npm audit-style output down to what's actually exploitable, and opens auto-fix pull requests for the minimal version bump that resolves a reachable finding — reducing the tracking problem to a short, prioritized list instead of a growing backlog.

FAQ

How often should I run npm check vulnerabilities commands?

Continuously in practice — on every CI run for pull requests touching dependencies, plus a scheduled nightly or daily scan independent of code changes, since advisories get published against packages you already have installed with no code change required to trigger a new finding.

Are most npm security vulnerabilities in direct or transitive dependencies?

The majority typically sit in transitive dependencies — packages pulled in indirectly by something you did choose — since a typical JavaScript project's dependency tree is dominated by packages several layers removed from anything listed directly in package.json.

Does npm audit tell me if a vulnerability is actually exploitable?

No — npm audit matches installed versions against known-vulnerable ranges but has no concept of whether your code calls the affected function. That reachability layer requires a separate analysis step or a dedicated SCA tool.

What's the fastest fix for a critical npm vulnerability with no patch available?

Check whether a non-vulnerable alternative package exists with equivalent functionality, whether the vulnerable code path can be avoided or wrapped with input validation as a stopgap, and whether the maintainer has an unreleased fix in progress worth tracking directly.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.