Elephant in the room ?
Then there was another that had a SQL injection problem. Okay - but in our project we weren't even using a SQL database!
Then why are you including a library with SQL connectivity ? Even if it isn't the library that you're using directly but one of the libraries that are being pulled in as a dependency, or a dependency of a dependency.
This really comes back to some of the issues that https://www.theregister.com/2016/03/23/npm_left_pad_chaos/ highlighted over 5 years ago.
To some extent, the situation is unavoidable given the attack surface in the Node.js ecosystem, where the installation of an average npm package means trusting around 80 other packages due to transitive dependencies
producing numbers often larger than the number of modules in the tree
Both of those quote should (and in other communities would) ring alarm bells. The situation is not unavoidable it's just something that node and npm have decided to live with because it's easier to complain than address the bigger issues