You should check for all the technologies versions used in development of the concerned web application, be it front end/client side or server side technologies. This can be achieved by spidering/crawling the web application. Once you have the details of all the web technologies and their versions in use, you can check for published CVE IDs for the concerned web technology version in question. All outdated and vulnerable web components shall be further communicated with the developer, asking them to use the latest libraries.
The famous Equifax data breach in 2013 which affected 130 million consumers was a result of using an outdated Apache Struts Framework vulnerable version. However, a patch was in place by the time the attackers exploited it. This further illustrates the significance of using updated/latest libraries of a framework/library/web technology.
P.S.This is the approach that I use to identify Using Components with known vulnerabilities (A9 2013 & 2017).