Are the 22 vulnerabilities introduced by gulp 4.0.2 on a virgin node project accepted to be ok by everyone?

[JohnRCatlin]

mkdir gulp-101
cd gulp-101
npm init -y
npm i --save-dev gulp

... 22 high severity vulnerabilities.

cat package.json

{
"name": "gulp-101",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo "Error: no test specified" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"devDependencies": {
"gulp": "^4.0.2"
}
}

[JohnRCatlin]

npm audit

...

npm audit report

glob-parent <5.1.2
Severity: high
Regular expression denial of service - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install gulp@3.9.1, which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of braces
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of readdirp
node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
glob-stream >=5.3.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
gulp >=4.0.0
Depends on vulnerable versions of vinyl-fs
node_modules/gulp

set-value <4.0.1
Severity: high
Prototype Pollution in set-value - GHSA-4jqc-8m5r-9rpr
fix available via npm audit fix
node_modules/set-value
cache-base >=0.7.0
Depends on vulnerable versions of set-value
Depends on vulnerable versions of union-value
node_modules/cache-base
base >=0.7.0
Depends on vulnerable versions of cache-base
node_modules/base
snapdragon 0.6.0 - 0.10.1
Depends on vulnerable versions of base
node_modules/snapdragon
braces 2.0.0 - 2.3.2
Depends on vulnerable versions of snapdragon
node_modules/braces
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of braces
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of readdirp
node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
expand-brackets 1.0.0 - 2.1.4
Depends on vulnerable versions of snapdragon
node_modules/expand-brackets
extglob 1.0.0 - 2.0.4
Depends on vulnerable versions of snapdragon
node_modules/extglob
micromatch 3.0.0 - 3.1.10
Depends on vulnerable versions of snapdragon
node_modules/micromatch
anymatch 2.0.0
Depends on vulnerable versions of micromatch
node_modules/anymatch
findup-sync 2.0.0 - 3.0.0
Depends on vulnerable versions of micromatch
node_modules/findup-sync
node_modules/matchdep/node_modules/findup-sync
liftoff >=2.4.0
Depends on vulnerable versions of findup-sync
node_modules/liftoff
gulp-cli >=2.0.0
Depends on vulnerable versions of liftoff
Depends on vulnerable versions of matchdep
node_modules/gulp-cli
matchdep >=2.0.0
Depends on vulnerable versions of micromatch
node_modules/matchdep
readdirp 2.2.0 - 2.2.1
Depends on vulnerable versions of micromatch
node_modules/readdirp
nanomatch >=0.1.1
Depends on vulnerable versions of snapdragon
node_modules/nanomatch
union-value *
Depends on vulnerable versions of set-value
node_modules/union-value

22 high severity vulnerabilities

[phated]

https://overreacted.io/npm-audit-broken-by-design/