I'm currently using the OWASP dependency check tools in order to find vulnerabilities in my Angular application.
When reading blog posts about this, I noticed that people usually exclude the node_modules package and I was wondering if it was a correct way of doing the analysis?
On one hand, I understand that you cannot do anything if a deep dependency has an issue but is it correct to just ignore it?
On the other hand, it makes sense to only analyze your direct dependencies.
Is there some kind of rule of thumbs about this?