[sensanaty]

The crazy thing is that `npm audit` doesn't even list `stylus` here, at least not in my repos. Despite them literally overtaking the damn package on the registry for a *security issue*.

[righthand]

It gets even better, Dependabot will spam you severities of it’s own that don’t appear in audit.

So you probably need to carefully audit the changes from two data sources and the security ticket ends up being 2+ merge requests.