npm has “npm audit” which throws out so many warnings on nonsense like ReDos “vulnerabilities” in dev packages that everyone has learned to ignore it. It does active harm to the security of the ecosystem.