Recursive support on Node.js dependencies

[RafaelGSS]

    Yes, we've discussed it in the last Security WG meeting. We agreed on testing the recursive approach, and in case it adds a lot of noise, we revert it.

Originally posted by @RafaelGSS in #88 (comment)

[RafaelGSS]

As discussed in today's meeting nodejs/security-wg#872. We might want to create another dependency checker for Javascript code.

Basically, it goes to the deps/node_modules and performs an npm audit, and reports back.

[richardlau]

Basically, it goes to the deps/node_modules and performs an npm audit, and reports back.

I've tried that before. Some things to watch out for:

• I believe you need a lock file for npm audit to even run.
• For Node.js 14 with npm 6 you have to do all operations on deps/npm with npm 6 -- attempting to do so with a later version of npm caused issues (I don't recall the exact specifics).

[RafaelGSS]

Maybe we could skip the v14 and start from v16 considering the v14 will be EOL pretty soon.