TL;DR what @jwilkins.oboe said, don’t lose sleep over the npm warnings. You will never learn a framework if you stop every time npm reports a “vulnerability”.
Knowing if a vulnerability is actually exploitable in a way that is dangerous to you or your users requires a lot of knowledge. Just because npm doesn’t report a vulnerability doesn’t mean there isn’t one, nor does it reporting one mean you have anything to worry about. If you read the overreacted blog post you should know it’s a lot more complicated than just some tool reporting a “vulnerability”.
In most cases, you have nothing to worry about. The long list of vulnerabilities you get on every package over its history of existence is mostly low to medium vulnerabilities that have little to no effect on your app. Some are impossible for you to fix because of interdependencies, i.e. a package is vulnerable because it is using another vulnerable package and you might not be able to update the “nested” dependencies without breaking the main package.
Most people that do not run some major site or app pretty much ignore the warnings and just let a GitHub dependencies bot handle it without even checking the vulnerabilities. Which means they won’t know if they (or their users) were in any real danger. But as said, most reported vulnerabilities are close to irrelevant.
There are a lot of developers’ eyes on the malicious code so it isn’t that easy to get away with. But considering how the npm ecosystem works it’s a bit of a miracle that it hasn’t been worse (that we know of anyway). There have been a few scary vulnerabilities but they usually get caught pretty fast and are given more attention than just some npm warning.
In the end, you may never know. High-value targets usually do not even report breaches if they can avoid it, as it’s bad for business.