npm audit is the built-in dependency scanner that ships with Node.js. It's fast and zero-setup — but it only queries the npm advisory registry, leaving real supply-chain risk uncovered. DepWarden is a free, zero-install alternative that plugs those gaps.
Typosquatting and dependency confusion. npm audit only checks advisories. A malicious package published as expresss (double-s) to catch fat-fingered installs, or a dependency-confusion attack where an attacker publishes a package with your internal name, returns zero findings in npm audit — because there's no advisory yet. DepWarden flags name-similarity risk on every scan.
End-of-life packages. npm audit doesn't flag packages whose entire release line stopped receiving security patches. Node 18 EOL, Log4j 1.x EOL, Django 2.x EOL — these carry ongoing risk without a specific CVE. DepWarden checks every dependency against endoflife.date release schedules.
OpenSSF Scorecard health. Packages with no recent commits, no branch protection, or no CI are a latent supply-chain risk. DepWarden surfaces Scorecard health scores alongside vulnerabilities.
Exploitability context. npm audit gives CVSS scores and counts, not which findings are actively exploited right now. DepWarden enriches every CVE with CISA KEV (confirmed exploitation) and FIRST EPSS (exploit probability) so you see which five of fifty actually matter.
Browser: paste your package-lock.json at depwarden.in — no account, no installation.
CLI: npx depwarden scan package-lock.json --fail-on high
GitHub Action: uses: Rushabh5000/dep-warden/cli@main with file: package-lock.json.
Also covers yarn.lock (Yarn v1 + v2) and pnpm-lock.yaml. Related: software composition analysis, detect typosquats in CI, free vulnerability scanner.