Mitigating security risks with NodeJS

I’m new to supporting a complex production nodejs project.

My gut feeling was to employ package management tools like:

• npm audit
• npx depcheck
• npx npm-check-updates

However npm audit oftens flags high issues, which are largely the problem of the underlying dependencies. The risks are really hard to gauge. Most of the time they feel like false alerts.

So now what?

Ensure every package is updated to keep a better security posture? That’s an endless treadmill.

There are plenty of tools, though I am missing a good conservative philosophy.