Step-by-Step Guide
6 steps

How to Secure Third-Party Dependencies

Third-party packages are one of the largest attack surfaces in modern applications. A single compromised dependency can affect thousands of apps. This guide covers auditing, monitoring, and securing your dependency supply chain.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Run npm audit regularly

Check for known vulnerabilities in your dependencies.

Code Example
# Check for vulnerabilities
npm audit

# Fix automatically where possible
npm audit fix

# Fix with major version updates (review changes first)
npm audit fix --force
2

Keep a lockfile committed

Always commit package-lock.json to ensure reproducible builds.

Code Example
# Verify lockfile exists and is committed
git ls-files package-lock.json

# Use ci for CI/CD (installs from lockfile only)
npm ci

Use npm ci instead of npm install in CI/CD. It installs exactly what is in the lockfile without modifying it.

3

Review new dependencies before adding them

Check download counts, maintenance status, and code quality before adding a package.

Code Example
# Check package details
npm info package-name

# Check for known issues
npm audit package-name

# Evaluate alternatives
# - Downloads per week (popularity)
# - Last publish date (maintenance)
# - Number of dependencies (attack surface)
# - GitHub stars and issues
4

Set up automated dependency monitoring

Enable GitHub Dependabot or Snyk to automatically detect and fix vulnerable dependencies.

Code Example
# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
5

Use exact versions for critical dependencies

Pin exact versions for security-critical packages.

Code Example
// package.json - pin critical packages
{
  "dependencies": {
    "next-auth": "5.0.0",     // Exact version (no ^)
    "bcrypt": "5.1.1",        // Exact version
    "jsonwebtoken": "9.0.2"   // Exact version
  }
}
6

Remove unused dependencies

Reduce attack surface by removing packages you no longer use.

Code Example
# Find unused dependencies
npx depcheck

# Remove unused packages
npm uninstall unused-package-name

What You'll Achieve

Dependencies are audited for vulnerabilities, lockfile is committed, automated monitoring is enabled, critical packages are version-pinned, and unused packages are removed.

Common Mistakes to Avoid

Mistake

Ignoring npm audit warnings

Fix

Review every audit warning. Fix critical and high severity issues immediately. Track moderate issues for the next update cycle.

Mistake

Not committing the lockfile

Fix

The lockfile ensures everyone installs the same versions. Without it, different environments may get different (potentially vulnerable) versions.

Frequently Asked Questions

Is npm audit reliable?

npm audit catches known vulnerabilities in the npm advisory database. It does not detect zero-day vulnerabilities or malicious packages without known advisories. Use it as one layer of defense alongside manual review.

Should I update all dependencies regularly?

Yes, but carefully. Use automated tools like Dependabot for minor and patch updates. Review major updates manually. Always test after updating.

Related Guides

Security Audit ChecklistSecure Environment VariablesImplement HTTPS CorrectlyPrevent XSS Attacks

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan