I checken again a bigger open source JS project for vulnerable packages with npm audit and got:
41 vulnerabilities (1 low, 12 moderate, 26 high, 2 critical)
This vulnerabilities stayed for months or more than a year or two nearly unchanged yet. That’s a desaster for an open source project, developed currently only by professional and payed developers.
There are fixes available for all this vulnerabilities within updated JS packages, but nobody seemed to care on fixing that.