When I install npx or run npm install in a project with npx installed, NPM spits out this:

found 36 vulnerabilities (6 low, 22 moderate, 8 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Every one of my project's "vulnerabilities" are coming from NPX. Why does NPX rely on so many dependencies with known vulnerabilities? I tend to avoid global dependencies, so I've been removing NPX from all my projects because our clients don't like seeing dozens of vulnerabilities. Should I only use NPX during development and install it globally or as a dev dependency? Should I just ignore NPM telling me I have 36 vulnerabilities?

We are looking at updating some of the dependencies.

Any movement on this @fharper ? I'm only seeing one vulnerability, specifically with yargs has several releases since v11 as used in this. :)

@ewholmes : worst case, by the end of the week I'll merge a PR.

My modifications were merged, I'll also release a new version of npx.