I understand what a vulnerability is – in essence, a fault in security.
However, is npm simply reporting on all known vulnerabilities?
Or does it somehow automatically scan every package in its registry?
I’m assuming it’s the first & not the latter.
Moreover, I am a beginner in npm & it seems to me that the safest way to use these amazing libraries are by going with the ones which are insanely popular, am I correct?