[richardwhiuk]

I think they are just saying that context matters in security vulnerabilities, and npm audit doesn't have that context.

Well yes, correct, well done. By this metric, every security tool ever written is probably pointless.

[danabramov]

Note that `npm audit` runs _during every install_ so people who use it don't necessarily consciously understand what's happening. Many of them are beginners and have never used a security tool before (or even want to use it).