A monorepo multiplies your dependency surface. Each workspace has its own package.json , its own dependencies , its own attack surface. npm audit doesn't aggregate across workspaces. Neither does pnpm audit . I ran a scan across a typical pnpm monorepo with 4 workspaces — apps/web , apps/api , packages/ui , packages/shared . Here's what came back: Monorepo: 4 workspaces → 10 unique external dependencies (npm) Package Risk Score Publishers Downloads Age clsx 🔴 CRITICAL 70 1 95.3M/wk 7.4y lodash 🔴 CRITICAL 81 1 149.2M/wk 14y zod 🔴 CRITICAL 86 1 164.4M/wk 6.2y axios 🔴 CRITICAL 86 1 104.2M/wk 11.7y react 🟢 HEALTHY 88 2 125.2M/wk 14.5y express 🟢 HEALTHY 90 5 96.2M/wk 15.4y ⚠ 4 CRITICAL packages found. Enter fullscreen mode Exit fullscreen mode 4 out of 10 unique dependencies are CRITICAL. Not because of known CVEs — because each one has a single npm publisher with >10M weekly downloads. That's the exact pattern behind the axios supply chain attack (March 30, 2026) and the LiteLLM compromise before it.…