“As of today,
npm audit is a stain on the entire npm ecosystem,” Abramov declared in a blog post. “The best time to fix it was before rolling it out as a default. The next best time to fix it is now.”
According to Abramov, 99 per cent of the vulnerabilities flagged by the command are false alarms in common usage scenarios. And this appears to be a fairly widespread sentiment among npm users.