Re: Elephant in the room ?
Exactly that. The reason we ended up never running the audit was that it took forever to make sure that all the warnings were false positives.
And the reason for that was that most of the warnings were about packages that none of us had ever even heard of, but were pulled as transitive dependencies. That means that, in order to make sure it's a false positive, you need to review the package, figure out what it does and how it does it and how the library you're using is using it in turn, and so on and so forth.
I don't see how it's a sustainable model. Me, I'm just steering clear of JS development any time I can help it, and charging twice as much when I can't.