Like we have for composer.lock files, we should check libraries included in our node.js repos for known vulnerabilities and alert someone if issues are found.
There are two utilities that I know of to do the check,
Wikia is using retire.js. Requiresafe is newer (and has active backing), but it talks to a proprietary service for the checks. Requiresafe also doesn't require you to npm install before doing the check, which (as far as I've been able to make it work) retire.js does.