Sherlock Forensics maintains security audit reports for 25 popular npm packages. A total of 139 known vulnerabilities are catalogued across these packages as of 2026-05-24. Each report includes CVE details and remediation guidance.
| Package | Latest Version | Vulnerabilities | Description |
|---|---|---|---|
| Next.js | 16.2.6 | 55 | The React Framework |
| Axios | 1.16.1 | 25 | Promise based HTTP client for the browser and node.js |
| Angular | 1.8.3 | 14 | HTML enhanced for web apps |
| Lodash | 4.18.1 | 10 | Lodash modular utilities. |
| Mongoose | 9.6.2 | 8 | Mongoose MongoDB ODM |
| Express.js | 5.2.1 | 5 | Fast, unopinionated, minimalist web framework |
| Webpack | 5.107.1 | 4 | Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multip |
| Moment.js | 2.30.1 | 4 | Parse, validate, manipulate, and display dates |
| jsonwebtoken | 9.0.3 | 4 | JSON Web Token implementation (symmetric and asymmetric) |
| Socket.IO | 4.8.3 | 3 | node.js realtime framework server |
| React | 19.2.6 | 2 | React is a JavaScript library for building user interfaces. |
| Vue.js | 3.5.34 | 1 | The progressive JavaScript framework for building modern web UI. |
| Chalk | 5.6.2 | 1 | Terminal string styling done right |
| bcrypt | 6.0.0 | 1 | A bcrypt library for NodeJS. |
| uuid | 14.0.0 | 1 | RFC9562 UUIDs |
| Zod | 4.4.3 | 1 | TypeScript-first schema declaration and validation library with static type inference |
| TypeScript | 6.0.3 | 0 | TypeScript is a language for application scale JavaScript development |
| Tailwind CSS | 4.3.0 | 0 | A utility-first CSS framework for rapidly building custom user interfaces. |
| Prisma | 7.8.0 | 0 | Prisma is an open-source database toolkit. It includes a JavaScript/TypeScript ORM for Node.js, migr |
| ESLint | 10.4.0 | 0 | An AST-based pattern checker for JavaScript. |
| Prettier | 3.8.3 | 0 | Prettier is an opinionated code formatter |
| Commander.js | 14.0.3 | 0 | the complete solution for node.js command-line programs |
| dotenv | 17.4.2 | 0 | Loads environment variables from .env file |
| cors | 2.8.6 | 0 | Node.js CORS middleware |
| Yargs | 18.0.0 | 0 | yargs the modern, pirate-themed, successor to optimist. |
Audit Your Dependencies
Our vibe coding security audit scans your entire dependency tree for vulnerable packages, misconfigurations and exposed secrets.
Get a Security Audit