False Positives Everywhere
As a web developer, I've learned to ignore vulnerability scan results and that's a big problem.
Most of the results aren't relevant. Sometimes I find it easy to figure out what's safe to ignore from the findings. Other times I find myself scouring documentation, source code, and blog posts only to discover the "RCE" npm audit told me I had doesn't matter.