https://takao.blog/en/tags/dependency/Recent content in Dependency on Commentary of TakaoHugo -- gohugo.ioenCommentary of TakaoSat, 13 Jun 2026 23:11:50 +0900https://takao.blog/en/web/security-dependency-vulnerabilities-npm-audit/Sat, 15 Nov 2025 00:00:00 +0900https://takao.blog/en/web/security-dependency-vulnerabilities-npm-audit/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post Auditing NPM Dependencies: Snyk and automated patch management" /><h2 id="the-supply-chain-problem">The Supply Chain Problem </h2><p>Modern JavaScript applications ship tens of thousands of transitive dependencies. Each one is a potential attack vector. The <strong>event-stream</strong> incident (2018), where a malicious package was injected into a popular dependency, demonstrated that vulnerabilities can come from anywhere in the tree. Relying solely on manual review is impossible at this scale.</p> <p>Automated tooling is the only practical defense.</p> <h2 id="npm-audit">npm audit </h2><p>The built-in <code>npm audit</code> command compares your dependency tree against a curated database of known vulnerabilities.</p>