Can we have some real engineering, please?
Dan Abramov's original blog post claimed that the default npm audit behavior, "... in many situations, leads to a 99%+ false positive rate..."
Hang on a second. Are we not supposed to be engineers? Since when was guessing good enough? I know it's a guess because no research/data was provided (only some examples) and if there was any research you can bet he would have published it.
This preference for guessing-instead-of-knowing (aka engineering) is the problem with the Node.js ecosystem in particular and programming in general! FFS How many times has el reg published a story where some well-intentioned engineer or admin took the guessing-over-knowing route and wound up in the news? No wonder hackers are having a field day - we're doing it wrong!
So, Mr. Abramov, howsabout a little more engineering and a little less guessing in general?