Npm libraries and vulnerability concerns
Out of the box you can get some audit features from npm. However, you need to upgrade your npm to version 6+. Using this command upgrade your npm:
npm install npm@latest -g
Now you are able to run theaudit command to get the result back:
npm audit
If you would like to push the report in a file you can also run this:
npm audit > report.txt
you will probabely get back some results like
you potentially can fix some if them by running :
npm audit --fix
However, some of the others cannot be fixed automatically since they are breaking changes in libraries and you need to do it manually to make sure you are aware of changes. In the example above, there is a line which asks you to upgrade your gulp to version 4. This change needs fixing the gulp file since the syntax has been changed.
Audit the production packages
you might only need to audit the packages which are added to dependency not the one in dev-dependency.
npm audit fix --only=prod