These are vulnerabilities discovered and reported for dependencies your application is using. Generally, you will want to fix these by updating packages to the latest versions containing fixes for the vulnerabilities.

There is a command, npm audit fix, which can update the affected dependencies for you in most cases (It took me personally from 10.000+ to roughly 10 reports). This however by default will only use non-breaking version jumps (so by semantic versioning it will not jump a major version for example).

You can use npm audit fix --force to fix the remaining vulnerabilities (including semver-incompatible ones) if there are package updates, however you will need to look for breaking changes in the updated packages that may conflict with your program logic.

I highly recommend you look at the NPM Docs article below, it explains the whole process very well.

Also see:

• Auditing package dependencies for security vulnerabilities
• What does "npm audit fix" exactly do?