I use calendar alerts to run `npm audit`, but the older the code is the less likely you have to worry. You can update dependencies on a similar schedule but you need a solid test suite to make sure nothing broke.

When a vulnerable package there's only a few options, best case scenario you can ignore it if it it isn't relevant to your usage, otherwise I prefer whichever is the smallest action of updating, removing, or mitigating it in place.

Neat idea to add a scheduled audit! going to steal it.