He added that the best time to fix it would have been before it rolled out as the default mode. The next best time to fix it, he said, is now.
Abramov says that 99% of vulnerabilities flagged by the command are false alarms in common usage applications.
Many npm users have expressed the same sentiments. More than 10 years ago, Isaac Schlueter created the npm package manager and co-founded a company of the same name that later got absorbed into GitHub.
In April 2018, npm version 6 finally arrived, with the audit command, because security in the npm ecosystem had to be taken seriously at the point.
Often, it brings up a deluge of vulnerability advisories that may not be easily fixable and therefore are not relevant.
The situation is unavoidable to some extent. However, Abramov says that the npm audit produces security warnings in contests where the risks are not a real concern and the alert overload doesn’t help. The original npm crew agrees with him on this.