We're currently using nsp - it checks advisories on nodesecurity.io against our _direct_ dependencies & devDependencies.
For my private projects I use both nsp and bithound. Bithound apparently uses snyk, which checks both direct _and_ indirect dependencies.
Both nsp and snyk use central repos of vulnerabilities - and both are backed by a business with a vested interest to keep these up to date (^lLift and Snyk respectively).
Don't get the hassle about upgrading to latest versions though. It's super easy to automate (ncu --upgrade && npm i && npm test).
Also: graphviz is good at graphs, but not every visual representation is a graph (e.g. sequence diagrams, railroad diagrams, gantt charts).