We live in a world of components and dependencies. There are numerous libraries available to perform almost any task. Sometimes, it makes sense to use battle-tested libraries written by large companies. Other times, you should go with your own solution.
No matter what, your project will end up with a dependency tree. It’s good practice to know what you are installing. You should avoid vulnerable packages, or legacy ones without any activity.
Some of the packages could be vulnerable. Check if they’re ok. A pretty good hint is a small number of downloads or poor GitHub activity. Be cautious.
Dependencies become out of date pretty much every day. This can be caused by a security update, new features or just a performance update.
You shouldn’t install dependencies with poor GitHub activity. It’s a sign that the project is not maintained anymore.
For already existing dependencies, you can locally use the amazing npm-check-updates Unfortunately, you can’t automate them. But sometimes it is handy, especially when you are taking over somebody else’s (legacy) codebase. Or you are coming back to your own pet project.