However, not all JavaScript packages are created equal; Sonatype’s 2019 State of the Software Supply Report reported that 51% of JavaScript packages downloaded had a known vulnerability.