pull down to refresh

That's fair. Also security is not a boolean. Umbrella is disclosing know weaknesses. Seems responsible to me especially when dealing with money.
I would not call these node packages holes but rather attack surface.