At my current client I’ve been doing more and more security related tasks such as audits on external software. Currently the type of software I audit are WordPress plugins. I have more than 15yrs of experience with WordPress and in the past I could fairly easily assess a WordPress plugin’s potential security impact(s). Nowadays not so much due to the seemingly increased usage of npm packages included with these plugins.
Sometimes I can grab development files such as package.json, package-lock.json from a public repo, but in the case of so-called ‘premium’ plugins a public repo is usually absent.
So my question is: How do you (security) audit external software depending on npm packages?
PS: I’ve asked this question also on Hacker News. I did not see any rules about cross-posting so if this is not ok, please let me know and I won’t cross-post in the future anymore.