[argomo]

Think of the article as customer feedback. The customer may not appreciate everything the product does for them, nor may they be using it in the fashion where it would be most effective.

So what? Your job (if this was your customer) would be to figure out how to make them happier. Maybe you are getting down-voted because (while you're correct on some fine points), you're broadly dismissing the concerns of the article. Case in point: those "low-quality dependencies" aren't something you can easily switch out for quality parts... they're deep dependencies of many of npm's flagship tools and frameworks.

[cphoover]

Perhaps the problem is that user's are entirely too entrenched with using blackbox frameworks they don't fully understand like create-react-app, and not that we have a tool that discloses when these frameworks contain vulnerable dependencies.

If we are in a situation where swapping out dependencies becomes so difficult that we just throw our hands up, is that really an issue with tooling?

EDIT:

BTW I'm not opposed to a PR that would allow for a .gitignore style list to ignore warning on specified deps. That could be useful. The issue I have would be respecting other peoples "auditignore" list or whatever... Because just because someone like @danabramov thinks including some package is not a threat, I may or may not agree with him.