What Is Dependency Scanning? Keeping Your AI-Generated Code Safe
When AI generates a package.json with 50 dependencies, any one of them could have a known security hole. Dependency scanning is how you catch it — automatically, before it reaches your users.
TL;DR
Dependency scanning automatically checks every package in your project against databases of known security vulnerabilities. AI adds packages fast without checking if they're safe — dependency scanning catches the problems. Start with npm audit (built into npm, free). Add GitHub Dependabot for automatic PR-based fixes. Use Snyk for a larger vulnerability database. Try Socket.dev to catch supply chain attacks. Run scans after every npm install and in your CI/CD pipeline.
Why AI Coders Need Dependency Scanning
Here's something most AI coding tutorials won't tell you: every time you ask Claude, ChatGPT, or Cursor to build something, it's adding packages to your project. Not just the ones you can see in package.json — each of those packages has its own dependencies, which have their own dependencies.
A typical AI-generated Express app might list 15 packages in package.json. But open node_modules and you'll find 200+ packages installed. You didn't choose 90% of them. You've never heard of most of them. And any single one could have a known security vulnerability.
Dependency scanning is the automated process of checking all of those packages — the ones you asked for and the ones that came along for the ride — against databases of known security problems. It's like a building inspector checking every subcontractor's work, not just the general contractor you hired.
This isn't theoretical. In 2024, the xz-utils backdoor — a supply chain attack hidden in a widely-used compression library — nearly compromised every Linux server on the internet. It was caught by accident. Dependency scanning tools are designed to catch these things on purpose.
The Real Scenario
What you asked AI:
"Build me a full-stack app with user authentication, file uploads, payment processing, and a dashboard. Use Express, React, and PostgreSQL."
That's a reasonable prompt. Here's the kind of package.json AI might generate:
What AI Generated
{
"name": "my-saas-app",
"version": "1.0.0",
"dependencies": {
"express": "^4.18.2",
"cors": "^2.8.5",
"helmet": "^7.1.0",
"bcryptjs": "^2.4.3",
"jsonwebtoken": "^9.0.2",
"pg": "^8.12.0",
"multer": "^1.4.5-lts.1",
"stripe": "^14.14.0",
"dotenv": "^16.3.1",
"express-rate-limit": "^7.1.5",
"express-validator": "^7.0.1",
"morgan": "^1.10.0",
"compression": "^1.7.4",
"nodemailer": "^6.9.8",
"uuid": "^9.0.0"
},
"devDependencies": {
"nodemon": "^3.0.3",
"jest": "^29.7.0",
"eslint": "^8.56.0"
}
}Versions shown as of March 2026. Always check for the latest.
Looks clean, right? 15 production dependencies, 3 dev dependencies. Professional, even. But here's what's really happening:
- Those 18 packages pull in ~350 total packages when you run
npm install - AI chose
multer 1.4.5-lts.1— an older version branch that may have known CVEs jsonwebtoken 9.0.2had a timing attack vulnerability patched in later versions- The
^in version ranges means npm can install newer minor versions that might introduce new issues
None of this is visible until you scan.
Understanding Each Part: The Four Scanning Tools
Dependency scanning isn't one tool — it's a category. Here are the four tools that matter most, and what each one actually does differently.
1. npm audit — The Built-In Scanner
Already installed if you have npm. Free. No account needed.
# Run in your project folder:
npm audit
# What you'll see:
# 6 vulnerabilities (2 moderate, 3 high, 1 critical)
#
# critical Remote Code Execution in lodash
# high Prototype Pollution in minimist
# high Regular Expression Denial of Service in semver
# ...
# Fix the safe ones automatically:
npm audit fix
# See what would change without doing it:
npm audit fix --dry-runWhat it catches: Known CVEs (Common Vulnerabilities and Exposures) in packages listed in the npm registry's advisory database.
What it misses: Supply chain attacks, typosquatted packages, malicious code that hasn't been reported yet. It also only scans when you remember to run it.
For a deep dive, see our full guide: What Is npm audit? Dependency Security for AI Coders.
2. GitHub Dependabot — The Automatic Fixer
If your code is on GitHub (and most AI-generated projects end up there), Dependabot watches your package.json and automatically opens pull requests when a dependency has a fix available.
# Enable it: GitHub repo → Settings → Code security and analysis
# Toggle on: "Dependabot alerts" and "Dependabot security updates"
# That's it. No config file needed for basic security updates.
# For version updates too, add .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10What it catches: Same CVE database as npm audit, but runs automatically and creates PRs you can merge with one click.
Why AI coders love it: You don't have to remember to scan. Dependabot watches your repo 24/7 and tells you when something needs fixing. If you're using GitHub anyway, this is the single easiest security win.
3. Snyk — The Deeper Scanner
Snyk maintains its own vulnerability database that's larger than npm's. It catches issues npm audit misses and gives more detailed fix guidance.
# Install:
npm install -g snyk
# Authenticate (free tier available):
snyk auth
# Scan your project:
snyk test
# Example output:
# ✗ High severity vulnerability found in jsonwebtoken
# Description: Timing Attack
# Info: https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022
# Introduced through: jsonwebtoken@9.0.0
# Fix: Upgrade to jsonwebtoken@9.0.1
#
# ✗ Medium severity vulnerability found in express
# Description: Open Redirect
# ...
# Monitor continuously (sends alerts when new CVEs affect your deps):
snyk monitorWhat it catches: Everything npm audit catches, plus vulnerabilities in Snyk's proprietary database, license compliance issues, and container image vulnerabilities if you're using Docker.
The free tier gives you 200 tests per month — plenty for personal projects and small teams.
4. Socket.dev — The Supply Chain Guard
Socket.dev does something fundamentally different from the other three. Instead of checking against CVE databases, it analyzes what packages actually do — looking at their code behavior.
# Install the GitHub App: https://socket.dev
# Or use the CLI:
npm install -g socket
# Scan:
socket scan
# What Socket flags that others miss:
# ⚠ "colors" package has install script that runs on npm install
# ⚠ "my-utils" package accesses network on import
# ⚠ "helper-lib" package reads environment variables
# ⚠ New maintainer added to "popular-package" 2 days agoWhat it catches: Typosquatting (packages with names like expresss or lodassh), install scripts that run arbitrary code, packages that suddenly change behavior after a maintainer change, and obfuscated malicious code.
Why this matters for AI coders: When AI suggests a package you've never heard of, Socket can tell you if that package does suspicious things — like accessing the network when it's supposed to be a string formatting library.
How They Compare
| Feature | npm audit | Dependabot | Snyk | Socket.dev |
|---|---|---|---|---|
| Price | Free | Free | Free tier | Free tier |
| Runs automatically | No (manual) | Yes | Yes (with CI) | Yes |
| Known CVEs | ✅ | ✅ | ✅ (larger DB) | Limited |
| Supply chain attacks | ❌ | ❌ | Limited | ✅ |
| Auto-fix PRs | ❌ | ✅ | ✅ | ❌ |
| Docker scanning | ❌ | ❌ | ✅ | ❌ |
| Setup effort | None | 2 clicks | 5 minutes | 5 minutes |
What AI Gets Wrong About Dependencies
AI is great at writing code fast. It's bad at checking whether the packages it chose are safe right now. Here are three specific mistakes AI makes constantly:
Mistake 1: Pinning Old Versions with Known Vulnerabilities
AI's training data has a cutoff date. It recommends package versions it "saw" during training, which might be months or years old. Those versions may have had critical vulnerabilities discovered and patched since then.
// AI generated this in March 2026:
"jsonwebtoken": "^8.5.1" // ❌ Has known timing attack CVE
"express": "^4.17.1" // ❌ Several patches since this version
"lodash": "^4.17.15" // ❌ Prototype pollution — fixed in 4.17.21
// What you should have:
"jsonwebtoken": "^9.0.2" // ✅ Patched
"express": "^4.21.0" // ✅ Current
"lodash": "^4.17.21" // ✅ PatchedWhat to do: After AI generates a package.json, run npm audit immediately. Before you write a single line of your own code.
Mistake 2: Adding Unnecessary Packages
AI tends to reach for packages for things JavaScript can do natively. More packages = more attack surface. Every dependency is a door someone could walk through.
// AI adds these, but you might not need them:
"uuid": "^9.0.0" // crypto.randomUUID() is built into Node 19+
"moment": "^2.29.4" // Intl.DateTimeFormat is built into modern JS
"lodash": "^4.17.21" // Array methods, spread syntax cover most use cases
"is-odd": "^3.0.1" // Seriously. n % 2 !== 0.
// Fewer dependencies = fewer vulnerabilities = less to scanWhat to do: Question every package AI adds. Ask: "Does Node.js or modern JavaScript have a built-in way to do this?" If yes, remove the package.
Mistake 3: Ignoring the Lock File
AI generates package.json but doesn't manage package-lock.json. The lock file is what actually determines which exact versions get installed. Without it, npm install on different machines can install different (potentially vulnerable) versions.
# AI's package.json says:
"express": "^4.18.2"
# ^ means "4.18.2 or any newer 4.x.x"
# On your machine today: installs 4.18.2 ✅
# On production next week: might install 4.19.0 (if released)
# That new version might have a bug or vulnerability
# The fix: ALWAYS commit package-lock.json
git add package-lock.json
git commit -m "Lock dependency versions"
# And use npm ci (not npm install) in production/CI:
npm ci # Installs exact versions from lock file — reproducible buildsWhat to do: Always commit package-lock.json to git. Use npm ci in CI/CD and production. Tell your AI: "Don't add package-lock.json to .gitignore."
How to Set Up Dependency Scanning (Step by Step)
Here's exactly what to do, starting from zero. This takes about 10 minutes.
Step 1: Scan What You Have Right Now
# Navigate to your project:
cd my-project
# Run the built-in scanner:
npm audit
# If you see vulnerabilities, try the automatic fix:
npm audit fix
# Check what's left:
npm auditStep 2: Enable Dependabot on GitHub
- Go to your GitHub repo
- Click Settings → Code security and analysis
- Enable Dependabot alerts
- Enable Dependabot security updates
- Done. Dependabot will now open PRs automatically when fixes are available.
Step 3: Add Scanning to CI/CD
# .github/workflows/security-scan.yml
name: Dependency Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 9 * * 1' # Every Monday at 9am
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
- run: npm ci
# Fail on high/critical vulnerabilities in production deps
- name: npm audit
run: npm audit --audit-level=high --omit=dev
# Optional: Snyk scan (add SNYK_TOKEN to repo secrets)
- name: Snyk test
if: env.SNYK_TOKEN != ''
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
npm install -g snyk
snyk test --severity-threshold=highStep 4: Make It a Habit
Add this to your workflow every time AI adds packages:
- AI generates code with new packages →
npm install - Immediately run
npm audit - Fix any high/critical issues before continuing
- Question any package you don't recognize
- Commit
package-lock.json
For more on building security habits as an AI coder, check our fundamentals guide.
What to Learn Next
Frequently Asked Questions
What is dependency scanning and why do I need it?
Dependency scanning automatically checks every package in your project — and every package those packages depend on — against databases of known security vulnerabilities. You need it because when AI generates code, it adds dozens of packages without checking if any have been compromised. One vulnerable dependency in production can expose your users' data or let attackers run code on your server.
Is npm audit enough or do I need Snyk and Dependabot too?
npm audit is a solid starting point and catches most known CVEs. But it only runs when you remember to run it. GitHub Dependabot runs automatically on every push and opens PRs to fix issues. Snyk has a larger vulnerability database and catches things npm audit misses. For serious projects, use npm audit locally plus Dependabot or Snyk in CI/CD. Socket.dev adds protection against supply chain attacks that none of the others catch.
Can AI tools like Claude or ChatGPT check dependencies for me?
No. AI tools have training data cutoffs and don't have access to live vulnerability databases. A package that was safe when the AI was trained might have a critical CVE discovered last week. AI can help you understand scan results and suggest fixes, but the actual scanning must be done by dedicated tools (npm audit, Snyk, Dependabot) that check real-time databases.
What's the difference between a vulnerability and a supply chain attack?
A vulnerability is an accidental security flaw — the developer made a mistake that attackers can exploit. A supply chain attack is intentional — someone deliberately injects malicious code into a package, either by hijacking a maintainer's account, publishing a typosquatted package (like expresss instead of express), or compromising the build pipeline. Traditional scanners like npm audit catch vulnerabilities. Socket.dev is specifically designed to catch supply chain attacks.
How do I set up dependency scanning if I've never done it before?
Start with three steps: (1) Run npm audit in your project folder right now to see your current status. (2) If your code is on GitHub, enable Dependabot in Settings → Code security — it's free and automatic. (3) Install the Snyk CLI with npm install -g snyk and run snyk test for a second opinion. This takes about 10 minutes and immediately tells you if you have vulnerable packages.