[politelemon]

It's not free, we're using Whitesource which provides alerts against libraries being used in the codebase. It can scan package.json, but it can also scan individual files. It matches the hashes of those files with those from open source projects so it usually able to identify which library that file came from, or at least where it was first seen. That way the package.json isn't always needed.

[thih9]

Does it recognize hashes of proprietary (closed source, minified) files too?

[allendoerfer]

Nope, it does not. If you remove the comment at the beginning of an unminified JS file, it will not recognize it as outdated anymore. You should treat WhiteSource as something that can potentially help to find problems, but it will by no means grant you security on its own. It is an enterprise tool to help people check boxes.

[TecoAndJix]

We leverage it mainly to confirm license compliance but the package vuln notifications are nice