Why It Matters
Modern apps pull in hundreds of third party dependencies, often more lines than you wrote yourself. When a vulnerability is published in one of them, your application inherits it. A famous breach class comes from running a known vulnerable library long after a fix existed.
How Scanning Works
- A scanner reads your lockfile to learn the exact versions you depend on, including transitive ones.
- It compares those versions against a database of known vulnerabilities, such as published advisories.
- It reports affected packages, the severity, and the fixed version to upgrade to.
Scanning the lockfile matters because it captures the real resolved tree, not just the loose ranges in your manifest.
Operating It Well
- Run the scan in continuous integration so a vulnerable dependency blocks the merge.
- Triage by severity and reachability; not every advisory affects your usage.
- Keep dependencies current with regular small updates rather than rare large ones.
- Generate a software bill of materials so you can answer what you ship.
Key idea
Dependency scanning matches your resolved package versions against advisory databases and runs in continuous integration, so inherited vulnerabilities are caught and upgraded before they reach production.