GitHub recently disclosed that there was a vulnerability that allowed people to publish new versions of any npm package without proper authorization. They say that this hasn’t been abused from September 2020 onwards. However this means that any package that hasn’t been updated since that time is of unknown provenance and may have been published by somebody malicious.
This tool runs against a JavaScript project and tells you which packages you rely on have not been updated since that time.
Run npx audit-pack-age
in the root of your JavaScript project.
Usage: audit-pack-age [options]
-h, --help Show help
-v, --verbose Show extra info while running
-q, --quiet Don’t generate any output
-j, --json Output JSON