Dependency Management: JavaScript

In this lesson, we will discuss Dependency management with JavaScript.

We'll cover the following

There are many different ways to track JavaScript dependencies. We’ll cover npm because it’s one of the most popular package managers. As was the case with Python dependency management, you’ll need to talk to your developers to find out how they’re managing dependencies if you’re not a JavaScript developer yourself.


Package.json is npm’s configuration file. It specifies dependencies in addition to many other facets of a package. It’s similar to Python’s requirements.txt in that it lists direct dependencies but does not list transitive dependencies.

In order to find transitive dependencies, you need to use npm. As was the case with Python, you’ll need to install your software in order to find transitive dependencies. They aren’t listed in your package’s package.json; they are calculated by looking at the package.json for each package listed in your package.json. Your best bet will be to work with your developers to install your package and then use npm list to show a tree of the dependencies. You can expect output like the following from npm list:

├─┬ my-app@1.0.0
│ ├─┬ my-dependency1@2.7.4
│ │ ├── thing2@1.2.3
│ │ ├── otherthing@2.3.4
│ │ ├── thing3@3.4.5
│ ├─┬ my-dependency2@4.5.6
│ │ └─┬ andanotherthing@5.6.7
│ │   ├── thing2@6.7.8

We can see from this example that npm shows the tree structure of the transitive dependencies.

That’s useful, but we still need to go find which of those libraries have known vulnerabilities. Fortunately, npm gives us a way to do that—npm audit. Running npm audit produces output like this:

                       === npm audit security report ===
# Run  npm install express@4.16.4  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
│ Moderate       | No Charset in Content-Type Header     |
│ Package        | express                               |
│ Dependency of  | express                               |
│ Path           | express                               |
│ More info      | |

│ Low            | methodOverride Middleware Reflected Cross-Site Scripting  |
│ Package        | connect                                                   |
│ Dependency of  | express                                                   |
│ Path           | express > connect                                         |
│ More info      |                      |
found 2 vulnerabilities (1 low, 1 moderate) in 4 scanned packages
  2 vulnerabilities require semver-major dependency updates.

Pretty nice. It runs almost instantly, and it shows each vulnerability along with helpful context like a description of the vulnerability, the severity of the vulnerability, and a URL for more information.

                                                 Q U I Z  

Get hands-on with 1000+ tech skills courses.