Dependencies
Your app is only as secure as the packages it depends on.
Most web apps use hundreds of npm packages. Each one is code someone else wrote, and any of them could have security vulnerabilities.
Why dependencies matter
When a popular package has a security flaw, every app using it becomes vulnerable. And this happens more often than you'd think — major packages like lodash, express, and node-fetch have all had security issues.
Checking for vulnerabilities
Regular audits
- Running
npm auditorbun auditregularly - Reviewing audit results and updating vulnerable packages - Using tools like Dependabot or Renovate for automatic PRs - Checking npm advisories before adding new packages
Install and forget
- Never running security audits - Ignoring
npm auditwarnings - Packages last updated 2+ years ago - No automated update process
Medium impact — security~1 paw
Outdated dependencies with known vulnerabilities are a common finding. Regular updates prevent most issues.
How to update
Quick check
# Check for known vulnerabilities
npm audit
# Or with bun
bun auditFix automatically
# Fix what can be automatically fixed
npm audit fix
# See what needs manual updates
npm outdatedManual updates
For major version updates that might break things:
- Check the package's changelog for breaking changes
- Update one package at a time
- Run your tests after each update
- Commit each update separately
Choosing packages wisely
Before adding a new dependency, check:
Self-assessment checklist
Lock files
Always commit your lock file (package-lock.json, bun.lock, pnpm-lock.yaml). It ensures everyone on your team uses the exact same package versions.
Quick checklist
Self-assessment checklist