Missing dependency vulnerability check
About A06:2021 — Vulnerable Components
Modern apps pull in hundreds of npm packages, and any one of them can introduce a vulnerability. The Equifax breach was a single outdated Struts library. Log4Shell affected millions of apps. AI tools will happily generate code that depends on packages with known CVEs because their training data predates the disclosures.
Impact: A vulnerable dependency in your tree is a vulnerability in your app, even if your code is perfect. Severity ranges from minor (denial of service) to critical (remote code execution). The blast radius is whatever the package can access — for server-side packages, that's usually everything.
How to fix it: Run `npm audit` (or equivalent) in CI and block builds on critical findings. Subscribe to security advisories for your major dependencies. Use Dependabot or Renovate to keep things current. Pin transitive dependencies when an advisory is open.
Common patterns in this category:
- Dependencies with known CVEs at the time of build
- Major versions behind upstream
- Unmaintained packages with no recent commits
- Packages installed from untrusted registries or forks
- Build tools and CI dependencies left out of audit scope
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC048 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .