Since I just dealt with this topic at work, here is a short input for you: This example is about the Angular project I am working on. Unsurprisingly, it uses npm to manage the dependencies of the project. We have automated jobs in our pipelines that indicates code vulnerabilities. One of the simplest things you can do is to use npm audit in an npm project. npm audit is a command built into npm package manager that scans the dependencies of a project for known security vulnerabilities and provides a report with recommended actions to fix them. It helps developers to keep their code and users safe by identifying and addressing potential security risks.

When you run npm audit, it will scan your project’s dependencies and also recursively their dependencies, looking for known vulnerabilities. If any are found, it will provide a detailed report with information about the vulnerability, the severity of the risk, and recommended actions to take to fix it.

It can automatically fix some vulnerabilities for you. Running npm audit fix, will update your dependencies to the latest version that addresses the vulnerability, or will provide you with instructions on how to manually fix the issue.

Back to my case: We had several vulnerabilities found, but most could be solved quickly and automatically with an npm audit fix. The other errors were in another library that has been built by ourselves. There, various dependencies in the version had to be pulled up to get rid of the warnings. There, various dependencies had to be upgraded to get rid of the warnings.

Minor changes are always no problem, but whenever you have a major version update and some breaking changes in the libraries, then you have to investigate a bit more if it can be a problem for the project and if everything still works afterward.

Especially when you don’t know all the places in a big project where some things are used, it’s a bit of a miracle to deal with this. But in my case, everything seems to have worked and is now being tested on the staging server.