@c089
@dan_abramov And the package manager has no
way of telling how the code is actually used.

There I think we can have the developer "mute" specific vulnerabilities, like
you can do for linting.

If you look at the current warnings, a rough separation between dev and non-dev
will reduce noise.