But by that argument, if you try to write all of the code doing the functions just by yourself and not bring in any dependencies, and that code is now five years old and you haven't touched it for five years, you might have some security vulnerabilities too.
It's not like you are always writing better code than the open source projects are. Unless you are one of the best developers in the world, then sure, then that might work, but for the rest of us, we are probably not guaranteed to ever write code that is 100% bug free for five years.
Doesnt matter if you count them from the second the code is written or when they are discovered. The same issue is in code written by someone else or yourself.
The point is that freshly updated code has the same chance of being buggy.
You want me to believe that in the npm "ecosystem" they have LTS branches that only get security updates? For anything besides maybe a few large libraries with companies behind them?
It's not like you are always writing better code than the open source projects are. Unless you are one of the best developers in the world, then sure, then that might work, but for the rest of us, we are probably not guaranteed to ever write code that is 100% bug free for five years.