(1) Not true (for open source that is).
(2) Right, absolutely agreed. We have a grace period depending on severity for that reason github.com/blackflux/js-gardener/b...
My preference is to have a failure and know about the security problem if it's severe. This should not be a problem if everything else in your pipeline is handled appropriately
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.