Check who depends on the security vulnerability package.
npm install whodeps -g
Cd you project directory, you project must have package.json, package-lock.json.
whodeps pkgname
Show all depends of pkgname's root dependencies.
whodeps pkgname <max version>
Give the max version. will only show the less than the version's root dependencies.
whodeps kind-of 6.0.0
