Security warning deluge from ‘npm audit’ is driving developers to distraction

From www.theregister.com

Dan Abramov, a software engineer at Facebook, this week published a plea to silence a particularly vocal JavaScript security tool – and its creators more or less agreed there’s room for improvement.

“As of today, npm audit is a stain on the entire npm ecosystem,” Abramov declared in a blog post. “The best time to fix it was before rolling it out as a default. The next best time to fix it is now.”

According to Abramov, 99 per cent of the vulnerabilities flagged by the command are false alarms in common usage scenarios. And this appears to be a fairly widespread sentiment among npm users.

Read more…