Nobody - and I mean absolutely nobody - using Node.js has fully audited all of the dependencies they use and if we find somewhere in a cave a person that did that they are definitely not going to do it all over again when something updates.
I can guarantee that any financial institution which has standard auditing requirements and is using Node.js has fully audited all of the dependencies they use.
I should know, I check those companies for a living. This is one of the most often flagged issues: unaudited Node.js dependencies. "Oh but we don't have the manpower to do that, think about how much code that is".
I know what the standard requires. I also know what happens in practice and typically the auditors are understaffed, overworked and their technical expertise is lower than it should be. As a result a lot of stuff slips through the cracks.
What does get flagged though is not getting employee permission for putting photos on the 'team' page. It's good they flag that. I'd rather they also went in much deeper on tech issues.
I've reviewed 270 companies to date. I have yet to find a single one that had audited the source code they imported. It's not untypical to find an installation that automatically updates a whole raft of dependencies during the build phase. And absolutely nobody looks at that code until something breaks.
In my experience, most devs and companies don't consider the dependencies they load 'their' code.
They only look at the code they write, not everything they deploy.
