The auditjs tool traverses the entire dependency treeĀ and makes requests to the https://ossindex.net/, which aggregates vulnerability announcements from npm, the Node Security project, the National Vulnerability Database (NVD), snyk.io, and others.
The auditjs tool also checks the local version of node to see if it's secure, so it can be useful to run auditjs on a Continuous Integration (CI) machine that has the exact node version as used in production.
We install it as a development dependency, and then add it as an audit script in package.json. This means auditing comes bundled with our project whenever it's shared among multiple developers.