What I learnt today is that you can use npm audit resolver to defer fixing those vulnerabilities. For example we recently had a vulnerability in a package that depends on a package that depends on a package and probably a few more in between. All open source libraries that we don’t control. So these libraries would have all needed to update before we received the benefit of the vulnerability fix. As this vulnerability wasn’t super critical for us because the code didn’t actually run in production, we are able to ignore it for a while. But how to remember to check it again after some time?
That’s a feature that npm audit resolver can help with. You can temporarily ignore an issue and be reminded again after 24 hours. Of course you should only do that when you have a good reason why you can’t or don’t want to fix the vulnerability right now.