It becomes mandatory to set up automatic security audits on your dependencies in order to have even a minimal view of "known" vulnerabilities within each project. Of course, this is only the first step towards optimal security!
Tools such as Snyk, sqreen, npm audit allow you to have an overview of active CVEs or possible attacks on your projects (snyk's free offer is rather generous).
Example below of a snyk dashboard on the SlimIO project
The vulnerabilities detected during the runtime phase obviously have priority (since they concern the codes executed in production).
⚠️ This does not mean that the vulnerabilities detected on development dependencies are not important!
You can open one of the projects to have more information on the various current issues. The interface will give you a whole set of information such as references and explanations of the problem. And, if necessary, corrective measures to solve the problem.
Snyk has also developed an online tool "Snyk Advisory" which lets you check the metrics related to an NPM package at any time.
⬅️ 🔐 Security: Introduction | ➡️ 🔐 Security: Keep your environment under control