[endymi0n]

While you'll probably get a good overview on the question you asked from the other comments, don't overlook that non-audit measures might give you even better bang for the buck — and that going 80% on a mix of lots of different measures will usually give you better overall effectivity than going 99.8% on just auditing.

For example, putting that external software in a hardened container with network policies, non-root user, capability drops, readonly filesystem (,...) will go a long way towards securing it, even if there's a cleverly disguised backdoor you didn't manage to find.

Dumping your database is only half the fun if the app isn't able to send all the data to Alonistan...

[onion2k]

Good advice, but these are NPM packages in WordPress plugins. It'd be unusual to have Node running on a server that's running WordPress, so it's very likely that these NPM packages are actually being delivered to the users of the website as part of the pages they're viewing (clientside components like custom dropdowns, calendars, etc are a typical use case). No amount of server hardening is going to protect the client if that's the case.

The only option is to flag them as either insecure or unchecked.

[sleavey]

Yes, npm is typically used to build minified JavaScript code for WordPress plugin distribution. WordPress developers themselves use it for the Gutenberg editor.

I personally dislike this new age and miss the days of hacking with just a text editor and browser, but I understand their benefits.