Question 1

Can I use npm audit and still get EPSS/KEV signals?

Accepted Answer

Not from npm audit itself — it only provides CVEs and CVSS scores. You'd need to manually cross-reference FIRST.org for EPSS and the CISA KEV catalog for active exploitation data. GeekWala automates this by enriching every CVE with both signals when you scan your package-lock.json.

Question 2

Does this work for monorepos with multiple package-lock.json files?

Accepted Answer

GeekWala scans individual package-lock.json files. For monorepos with npm workspaces, upload the root lock file — it includes all workspace dependencies. For monorepos with independent lock files per package, scan each one separately. Full monorepo workspace support with unified reporting is coming in 2026.

Question 3

My vulnerable dependency is transitive (deeply nested). How do I trace it?

Accepted Answer

npm's dependency tree can bury vulnerable packages 5+ levels deep. Run npm ls <package> to see the dependency chain. When you scan with GeekWala, the results show the full path: your-app → parent-pkg → child-pkg → vulnerable-pkg. This helps you decide whether to bump the direct parent (preferred) or use npm audit fix --force (riskier, may introduce breaking changes).

Question 4

Should I use `npm audit fix --force` when a KEV vulnerability is found?

Accepted Answer

Use npm audit fix (without --force) first — it upgrades within semver ranges and is generally safe. --force can introduce major version bumps that break your application. For KEV entries that npm audit fix can't resolve, manually bump the vulnerable package or its parent in package.json, then test thoroughly. The urgency of KEV doesn't justify shipping broken code.

Question 5

How do EPSS scores interact with npm's severity levels?

Accepted Answer

They don't — that's the problem. npm audit maps CVSS ranges to severity labels (critical/high/moderate/low) and ignores exploitation probability entirely. A "moderate" npm finding could have EPSS 0.9 (almost certainly being exploited) while a "critical" finding has EPSS 0.01 (nobody's touching it). For a deeper explanation of how EPSS works and how to read the scores, see What is EPSS?.

For a complete guide to how npm fits into a multi-ecosystem security strategy, see Dependency Security Across 8 Ecosystems. For a side-by-side comparison of all ecosystem scanners, see 7 Dependency Vulnerability Scanners Compared. And if supply chain attacks targeting npm are on your radar, read Supply Chain Attacks on Open Source in 2026.