New ask Hacker News story: Ask HN: How do you (security) audit external software using NPM packages?

Ask HN: How do you (security) audit external software using NPM packages?
15 by BjornW | 10 comments on Hacker News.
Hi, At my current client I've been doing more and more security related tasks such as audits on external software. Currently the type of software I audit are WordPress plugins. I have more than 15yrs of experience with WordPress and in the past I could fairly easily assess a WordPress plugin's potential security impact(s). Nowadays not so much due to the seemingly increased usage of npm packages included with these plugins. Often these plugins do not include a package.json, package-lock.json nor are the javascript files readable (bundled & minified). This makes using npm audit near impossible. Good for production, less for audits. Sometimes I can grab development files such as package.json, package-lock.json from a public repo, but in the case of so-called 'premium' plugins a public repo is usually absent. So my question is: How do you (security) audit external software depending on npm packages?