I haven't looked into it enough to see what's happening. Whenever I did look into it, the vulns were node server-side (because it's server side usually). Everyone has an opinion or bias on this, but really I think the alarm bell is just ringing more frequently. That's not exactly a bad thing, yeah it's a pain upgrading all the time, but is it really just bad development? I don't want to encourage "roll your own" and forks are difficult to maintain imo, I hate reworking other people's code, id rather build it from scratch.