NPM audit is largely useless[0]. Most people don’t care that the CSS minifier can cause an out-of-memory when fed a bad class name, because that step happens during the build process and not with untrusted code. There isn’t a way to isolate only issues that can be exploited in the production code.
2 comments
[ 3.1 ms ] story [ 21.1 ms ] threadDo you all look away when you see a bunch of warnings about minor vulnerabilities in your codebase?
[0]: https://overreacted.io/npm-audit-broken-by-design/