This is strangely redolent..
... of the present England approach to coronavirus: the data looks bad so let's ignore it.
Frankly, if installation of an average npm package means trusting around 80 other packages there is something very wrong with the packaging structure and the alert overload is a clear warning of that. Given the amount of code you'd have to carefully analyse to claim that there is a 99+ per cent false positive rate, I'm not sure how credible that figure really is.
And this is not the only measure of the apparent fragility of this ecosystem.
Biting the hand that feeds IT
