[gampleman]

We basically run it in CI... and then allow it to fail without failing the build. ¯\_(ツ)_/¯

It seems like a lot of this has been designed for Node (backend) development, whilst ignoring the fact that NPM is probably used more heavily for front-end development at this point.

[mmis1000]

Yep, some vulnerable package isn't even in the compile output. How a dev server that only binds to 127.0.0.1 a serious DOS problem? Who on the earth will want to DOS that?