Following Instructions in Documentation Results in Security Vulnerabilities 😞

Bug Report

Current Behavior Greetings. Installing Node and Probot both for the first time here. Following the directions at the following location:

https://probot.github.io/docs/development/

Running the following command and filling out its prompts:

npx create-probot-app <dir>
npx: installed 229 in 14.44s

Let's create a Probot app!
Hit enter to accept the suggestion.

? App name: <name>
? Description of app: <description>
? Author's full name: <author>
? Author's email address: <email>
? GitHub user or org name: <organization>
? Repository name: <repository>
? Which template would you like to use? basic-ts
created file: <dir>\.env.example
created file: <dir>\app.yml
created file: <dir>\CODE_OF_CONDUCT.md
created file: <dir>\CONTRIBUTING.md
created file: <dir>\.gitignore
created file: <dir>\jest.config.js
created file: <dir>\LICENSE
created file: <dir>\package.json
created file: <dir>\README.md
created file: <dir>\tsconfig.json
created file: <dir>\src\index.ts
created file: <dir>\test\index.test.ts
created file: <dir>\test\fixtures\issues.opened.json
created file: <dir>\test\fixtures\mock-cert.pem

Finished scaffolding files!

Initialized a Git repository.

Installing dependencies. This may take a few minutes...

npm WARN deprecated @types/nock@11.1.0: This is a stub types definition. nock provides its own type definitions, so you do not need this installed.
npm WARN deprecated eslint-plugin-typescript@0.14.0: Deprecated: Use @typescript-eslint/eslint-plugin instead
npm WARN deprecated superagent@3.8.3: Please note that v5.0.1+ of superagent removes User-Agent header by default, therefore you may need to add it yourself (e.g. GitHub blocks requests without a User-Agent header).  This notice will go away with v5.0.2+ once it is released.
npm WARN deprecated fsevents@1.2.9: One of your dependencies needs to upgrade to fsevents v2: 1) Proper nodejs v10+ support 2) No more fetching binaries from AWS, smaller package size
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()

> dtrace-provider@0.8.8 install <dir>\node_modules\dtrace-provider
> node-gyp rebuild || node suppress-error.js


<dir>\node_modules\dtrace-provider>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.

> nodemon@1.19.4 postinstall <dir>\node_modules\nodemon
> node bin/postinstall || exit 0

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN acorn-jsx@5.1.0 requires a peer of acorn@^6.0.0 || ^7.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 893 packages from 639 contributors and audited 879969 packages in 31.001s
found 8 vulnerabilities (2 moderate, 6 high)
  run `npm audit fix` to fix them, or `npm audit` for details

This seems to differ vastly from the output found within the documentation page.

In particular:

found 8 vulnerabilities (2 moderate, 6 high)
  run `npm audit fix` to fix them, or `npm audit` for details

running npm audit fix:

npm WARN acorn-jsx@5.1.0 requires a peer of acorn@^6.0.0 || ^7.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 1 package from 1 contributor and updated 1 package in 5.952s
fixed 4 of 8 vulnerabilities in 879969 scanned packages
  4 vulnerabilities required manual review and could not be updated

So it would seem that simply creating a Probot project has now introduced 8 vulnerabilities into my development environment, 6 of which are considered high impact. After running the suggested guidance of npm audit fix there are now 4 remaining, of which all could be high impact, but this is unknown as it doesn’t really specify.

As a new user to both Node/NPM and Probot, I am now saddled with the stressful and disruptive responsibility of figuring out how to “manually review” these vulnerabilities – let alone submitting an issue on GitHub documenting my experience! – rather than diving directly into your nifty product and learning some cool magic as your documentation portends.

Hardly a pleasant first impression. 😞

Expected behavior/code Creating a new Probot project that doesn’t result in installing vulnerabilities into my development environment would be a nice start. 😁

Environment

• Probot version(s): 9.6.6
• Node/npm version: 12.13.1/6.12.1
• OS: Windows 10 1909 64-bit