False positives in Node.js image vulnerability scans? Separate app packages from npm built-ins first
When reviewing vulnerability scan results for a Node.js Docker image, you can't just look at package names. First distinguish between project dependencies and the packages bundled with npm inside the base image — otherwise you'll fix the wrong thing.